mcp-hangar 0.2.0__py3-none-any.whl

mcp_hangar/infrastructure/auth/projections.py

@@ -0,0 +1,366 @@
+"""Auth Projections - Read models built from events.
+
+Projections listen to domain events and build optimized read models
+for queries. They are part of CQRS read side.
+"""
+
+from dataclasses import dataclass, replace
+from datetime import datetime, timezone
+import threading
+from typing import Any
+
+from ...domain.contracts.event_store import IEventStore
+from ...domain.events import ApiKeyCreated, ApiKeyRevoked, DomainEvent, RoleAssigned, RoleRevoked
+from ...logging_config import get_logger
+
+logger = get_logger(__name__)
+
+
+@dataclass
+class ApiKeyReadModel:
+    """Read model for API key queries."""
+
+    key_id: str
+    key_hash: str
+    principal_id: str
+    name: str
+    tenant_id: str | None
+    groups: list[str]
+    created_at: datetime
+    created_by: str
+    expires_at: datetime | None
+    revoked: bool
+    revoked_at: datetime | None = None
+    revoked_by: str | None = None
+    revocation_reason: str | None = None
+
+
+@dataclass
+class RoleAssignmentReadModel:
+    """Read model for role assignment queries."""
+
+    principal_id: str
+    role_name: str
+    scope: str
+    assigned_at: datetime
+    assigned_by: str
+
+
+class AuthProjection:
+    """Projection that builds auth read models from events.
+
+    Processes events from the event store and maintains in-memory
+    read models optimized for queries.
+
+    Features:
+    - Indexes by key_hash, key_id, and principal_id
+    - Role assignments indexed by principal_id
+    - Thread-safe access
+    - Supports catchup from event store
+    """
+
+    def __init__(self, event_store: IEventStore | None = None):
+        """Initialize the projection.
+
+        Args:
+            event_store: Optional event store for catchup.
+        """
+        self._event_store = event_store
+        self._lock = threading.RLock()
+
+        # API Key indexes
+        self._keys_by_hash: dict[str, ApiKeyReadModel] = {}
+        self._keys_by_id: dict[str, ApiKeyReadModel] = {}
+        self._keys_by_principal: dict[str, list[str]] = {}  # principal -> key_ids
+
+        # Role assignment indexes
+        self._roles_by_principal: dict[str, list[RoleAssignmentReadModel]] = {}
+
+        # Track position for incremental updates
+        self._last_position = 0
+
+    def catchup(self) -> int:
+        """Catch up with events from event store.
+
+        Reads all events from last known position and applies them.
+
+        Returns:
+            Number of events processed.
+        """
+        if not self._event_store:
+            return 0
+
+        count = 0
+        for position, stream_id, event in self._event_store.read_all(from_position=self._last_position):
+            self.apply(event)
+            self._last_position = position
+            count += 1
+
+        logger.info(
+            "auth_projection_catchup_complete",
+            events_processed=count,
+            last_position=self._last_position,
+        )
+
+        return count
+
+    def apply(self, event: DomainEvent) -> None:
+        """Apply a domain event to update read models.
+
+        Args:
+            event: Event to apply.
+        """
+        if isinstance(event, ApiKeyCreated):
+            self._apply_key_created(event)
+        elif isinstance(event, ApiKeyRevoked):
+            self._apply_key_revoked(event)
+        elif isinstance(event, RoleAssigned):
+            self._apply_role_assigned(event)
+        elif isinstance(event, RoleRevoked):
+            self._apply_role_revoked(event)
+
+    def _apply_key_created(self, event: ApiKeyCreated) -> None:
+        """Apply ApiKeyCreated event."""
+        with self._lock:
+            # We don't have key_hash in the event - that's stored in stream_id
+            # For now, create read model without hash (can be updated later)
+            model = ApiKeyReadModel(
+                key_id=event.key_id,
+                key_hash="",  # Will be set when we know it
+                principal_id=event.principal_id,
+                name=event.key_name,
+                tenant_id=None,  # Not in event
+                groups=[],  # Not in event
+                created_at=datetime.fromtimestamp(event.occurred_at, tz=timezone.utc),
+                created_by=event.created_by,
+                expires_at=datetime.fromtimestamp(event.expires_at, tz=timezone.utc) if event.expires_at else None,
+                revoked=False,
+            )
+
+            self._keys_by_id[event.key_id] = model
+
+            if event.principal_id not in self._keys_by_principal:
+                self._keys_by_principal[event.principal_id] = []
+            self._keys_by_principal[event.principal_id].append(event.key_id)
+
+    def _apply_key_revoked(self, event: ApiKeyRevoked) -> None:
+        """Apply ApiKeyRevoked event."""
+        with self._lock:
+            if event.key_id in self._keys_by_id:
+                model = self._keys_by_id[event.key_id]
+                # Create updated model using immutable pattern
+                self._keys_by_id[event.key_id] = replace(
+                    model,
+                    revoked=True,
+                    revoked_at=datetime.fromtimestamp(event.occurred_at, tz=timezone.utc),
+                    revoked_by=event.revoked_by,
+                    revocation_reason=event.reason,
+                )
+
+    def _apply_role_assigned(self, event: RoleAssigned) -> None:
+        """Apply RoleAssigned event."""
+        with self._lock:
+            model = RoleAssignmentReadModel(
+                principal_id=event.principal_id,
+                role_name=event.role_name,
+                scope=event.scope,
+                assigned_at=datetime.fromtimestamp(event.occurred_at, tz=timezone.utc),
+                assigned_by=event.assigned_by,
+            )
+
+            if event.principal_id not in self._roles_by_principal:
+                self._roles_by_principal[event.principal_id] = []
+
+            # Check if already assigned (idempotency)
+            existing = next(
+                (
+                    r
+                    for r in self._roles_by_principal[event.principal_id]
+                    if r.role_name == event.role_name and r.scope == event.scope
+                ),
+                None,
+            )
+            if not existing:
+                self._roles_by_principal[event.principal_id].append(model)
+
+    def _apply_role_revoked(self, event: RoleRevoked) -> None:
+        """Apply RoleRevoked event."""
+        with self._lock:
+            if event.principal_id in self._roles_by_principal:
+                self._roles_by_principal[event.principal_id] = [
+                    r
+                    for r in self._roles_by_principal[event.principal_id]
+                    if not (r.role_name == event.role_name and r.scope == event.scope)
+                ]
+
+    # =========================================================================
+    # Queries
+    # =========================================================================
+
+    def get_key_by_id(self, key_id: str) -> ApiKeyReadModel | None:
+        """Get API key by ID."""
+        with self._lock:
+            return self._keys_by_id.get(key_id)
+
+    def get_keys_for_principal(self, principal_id: str) -> list[ApiKeyReadModel]:
+        """Get all API keys for a principal."""
+        with self._lock:
+            key_ids = self._keys_by_principal.get(principal_id, [])
+            return [self._keys_by_id[kid] for kid in key_ids if kid in self._keys_by_id]
+
+    def get_active_key_count(self, principal_id: str) -> int:
+        """Get count of active (non-revoked) keys for a principal."""
+        keys = self.get_keys_for_principal(principal_id)
+        return sum(1 for k in keys if not k.revoked)
+
+    def get_roles_for_principal(self, principal_id: str) -> list[RoleAssignmentReadModel]:
+        """Get all role assignments for a principal."""
+        with self._lock:
+            return list(self._roles_by_principal.get(principal_id, []))
+
+    def has_role(self, principal_id: str, role_name: str, scope: str = "*") -> bool:
+        """Check if principal has a specific role."""
+        roles = self.get_roles_for_principal(principal_id)
+        for role in roles:
+            if role.role_name == role_name:
+                if scope == "*" or role.scope == scope or role.scope == "global":
+                    return True
+        return False
+
+    # =========================================================================
+    # Statistics
+    # =========================================================================
+
+    def get_stats(self) -> dict[str, Any]:
+        """Get projection statistics."""
+        with self._lock:
+            total_keys = len(self._keys_by_id)
+            revoked_keys = sum(1 for k in self._keys_by_id.values() if k.revoked)
+
+            total_assignments = sum(len(roles) for roles in self._roles_by_principal.values())
+
+            return {
+                "total_api_keys": total_keys,
+                "active_api_keys": total_keys - revoked_keys,
+                "revoked_api_keys": revoked_keys,
+                "total_principals_with_keys": len(self._keys_by_principal),
+                "total_role_assignments": total_assignments,
+                "total_principals_with_roles": len(self._roles_by_principal),
+                "last_event_position": self._last_position,
+            }
+
+
+class AuthAuditLog:
+    """Audit log projection for auth events.
+
+    Maintains a time-ordered log of all auth events for audit purposes.
+    """
+
+    def __init__(self, max_entries: int = 10000):
+        """Initialize audit log.
+
+        Args:
+            max_entries: Maximum entries to keep in memory.
+        """
+        self._max_entries = max_entries
+        self._entries: list[dict[str, Any]] = []
+        self._lock = threading.RLock()
+
+    def apply(self, event: DomainEvent) -> None:
+        """Apply event to audit log."""
+        entry = self._event_to_entry(event)
+        if entry:
+            with self._lock:
+                self._entries.append(entry)
+
+                # Trim if over limit
+                if len(self._entries) > self._max_entries:
+                    self._entries = self._entries[-self._max_entries :]
+
+    def _event_to_entry(self, event: DomainEvent) -> dict[str, Any] | None:
+        """Convert event to audit entry."""
+        if isinstance(event, ApiKeyCreated):
+            return {
+                "timestamp": event.occurred_at,
+                "event_type": "api_key_created",
+                "principal_id": event.principal_id,
+                "details": {
+                    "key_id": event.key_id,
+                    "key_name": event.key_name,
+                    "created_by": event.created_by,
+                    "expires_at": event.expires_at,
+                },
+            }
+
+        elif isinstance(event, ApiKeyRevoked):
+            return {
+                "timestamp": event.occurred_at,
+                "event_type": "api_key_revoked",
+                "principal_id": event.principal_id,
+                "details": {
+                    "key_id": event.key_id,
+                    "revoked_by": event.revoked_by,
+                    "reason": event.reason,
+                },
+            }
+
+        elif isinstance(event, RoleAssigned):
+            return {
+                "timestamp": event.occurred_at,
+                "event_type": "role_assigned",
+                "principal_id": event.principal_id,
+                "details": {
+                    "role_name": event.role_name,
+                    "scope": event.scope,
+                    "assigned_by": event.assigned_by,
+                },
+            }
+
+        elif isinstance(event, RoleRevoked):
+            return {
+                "timestamp": event.occurred_at,
+                "event_type": "role_revoked",
+                "principal_id": event.principal_id,
+                "details": {
+                    "role_name": event.role_name,
+                    "scope": event.scope,
+                    "revoked_by": event.revoked_by,
+                },
+            }
+
+        return None
+
+    def query(
+        self,
+        principal_id: str | None = None,
+        event_type: str | None = None,
+        since: float | None = None,
+        limit: int = 100,
+    ) -> list[dict[str, Any]]:
+        """Query audit log entries.
+
+        Args:
+            principal_id: Filter by principal.
+            event_type: Filter by event type.
+            since: Filter entries after this timestamp.
+            limit: Maximum entries to return.
+
+        Returns:
+            List of matching audit entries.
+        """
+        with self._lock:
+            result = []
+            for entry in reversed(self._entries):
+                # Apply filters
+                if principal_id and entry.get("principal_id") != principal_id:
+                    continue
+                if event_type and entry.get("event_type") != event_type:
+                    continue
+                if since and entry.get("timestamp", 0) <= since:
+                    continue
+
+                result.append(entry)
+                if len(result) >= limit:
+                    break
+
+            return result

mcp_hangar/infrastructure/auth/rate_limiter.py

@@ -0,0 +1,311 @@
+"""Rate limiting for authentication attempts.
+
+Provides protection against brute-force attacks by limiting
+the number of failed authentication attempts per IP address.
+
+Uses a token bucket algorithm with per-IP tracking.
+"""
+
+from dataclasses import dataclass, field
+import threading
+import time
+from typing import NamedTuple
+
+import structlog
+
+logger = structlog.get_logger(__name__)
+
+
+class RateLimitResult(NamedTuple):
+    """Result of a rate limit check."""
+
+    allowed: bool
+    remaining: int
+    retry_after: float | None  # Seconds until next attempt allowed
+    reason: str
+
+
+@dataclass
+class AuthRateLimitConfig:
+    """Configuration for authentication rate limiting.
+
+    Attributes:
+        enabled: Whether rate limiting is enabled.
+        max_attempts: Maximum failed attempts per window.
+        window_seconds: Time window for counting attempts.
+        lockout_seconds: How long to lock out after exceeding limit.
+        cleanup_interval: How often to clean up old entries.
+    """
+
+    enabled: bool = True
+    max_attempts: int = 10
+    window_seconds: int = 60
+    lockout_seconds: int = 300
+    cleanup_interval: int = 300  # 5 minutes
+
+
+@dataclass
+class _AttemptTracker:
+    """Tracks authentication attempts for a single IP."""
+
+    attempts: list[float] = field(default_factory=list)
+    locked_until: float | None = None
+
+
+class AuthRateLimiter:
+    """Rate limiter for authentication attempts.
+
+    Tracks failed authentication attempts per IP address and
+    blocks IPs that exceed the configured threshold.
+
+    Thread-safe implementation using RLock.
+
+    Usage:
+        limiter = AuthRateLimiter(config)
+
+        # Before authentication
+        result = limiter.check_rate_limit(client_ip)
+        if not result.allowed:
+            raise RateLimitExceeded(result.retry_after)
+
+        # After failed authentication
+        limiter.record_failure(client_ip)
+
+        # After successful authentication
+        limiter.record_success(client_ip)
+    """
+
+    def __init__(self, config: AuthRateLimitConfig | None = None):
+        """Initialize rate limiter.
+
+        Args:
+            config: Rate limit configuration. Uses defaults if None.
+        """
+        self._config = config or AuthRateLimitConfig()
+        self._trackers: dict[str, _AttemptTracker] = {}
+        self._lock = threading.RLock()
+        self._last_cleanup = time.time()
+
+    @property
+    def enabled(self) -> bool:
+        """Check if rate limiting is enabled."""
+        return self._config.enabled
+
+    def check_rate_limit(self, ip: str) -> RateLimitResult:
+        """Check if an IP is allowed to attempt authentication.
+
+        Args:
+            ip: Client IP address.
+
+        Returns:
+            RateLimitResult indicating if attempt is allowed.
+        """
+        if not self._config.enabled:
+            return RateLimitResult(
+                allowed=True,
+                remaining=self._config.max_attempts,
+                retry_after=None,
+                reason="rate_limiting_disabled",
+            )
+
+        now = time.time()
+
+        with self._lock:
+            self._maybe_cleanup(now)
+
+            tracker = self._trackers.get(ip)
+            if tracker is None:
+                return RateLimitResult(
+                    allowed=True,
+                    remaining=self._config.max_attempts,
+                    retry_after=None,
+                    reason="no_previous_attempts",
+                )
+
+            # Check if locked out
+            if tracker.locked_until is not None:
+                if now < tracker.locked_until:
+                    retry_after = tracker.locked_until - now
+                    logger.warning(
+                        "auth_rate_limit_locked",
+                        ip=ip,
+                        retry_after=retry_after,
+                    )
+                    return RateLimitResult(
+                        allowed=False,
+                        remaining=0,
+                        retry_after=retry_after,
+                        reason="locked_out",
+                    )
+                else:
+                    # Lockout expired, reset tracker
+                    tracker.locked_until = None
+                    tracker.attempts.clear()
+
+            # Count attempts in current window
+            window_start = now - self._config.window_seconds
+            recent_attempts = [t for t in tracker.attempts if t > window_start]
+            tracker.attempts = recent_attempts  # Prune old attempts
+
+            remaining = self._config.max_attempts - len(recent_attempts)
+
+            if remaining <= 0:
+                # Lock out the IP
+                tracker.locked_until = now + self._config.lockout_seconds
+                logger.warning(
+                    "auth_rate_limit_exceeded",
+                    ip=ip,
+                    attempts=len(recent_attempts),
+                    lockout_seconds=self._config.lockout_seconds,
+                )
+                return RateLimitResult(
+                    allowed=False,
+                    remaining=0,
+                    retry_after=self._config.lockout_seconds,
+                    reason="rate_limit_exceeded",
+                )
+
+            return RateLimitResult(
+                allowed=True,
+                remaining=remaining,
+                retry_after=None,
+                reason="within_limit",
+            )
+
+    def record_failure(self, ip: str) -> None:
+        """Record a failed authentication attempt.
+
+        Args:
+            ip: Client IP address.
+        """
+        if not self._config.enabled:
+            return
+
+        now = time.time()
+
+        with self._lock:
+            if ip not in self._trackers:
+                self._trackers[ip] = _AttemptTracker()
+
+            tracker = self._trackers[ip]
+            tracker.attempts.append(now)
+
+            logger.debug(
+                "auth_failure_recorded",
+                ip=ip,
+                total_attempts=len(tracker.attempts),
+            )
+
+    def record_success(self, ip: str) -> None:
+        """Record a successful authentication (clears failure count).
+
+        Args:
+            ip: Client IP address.
+        """
+        if not self._config.enabled:
+            return
+
+        with self._lock:
+            if ip in self._trackers:
+                del self._trackers[ip]
+                logger.debug("auth_success_cleared_tracker", ip=ip)
+
+    def get_status(self, ip: str) -> dict:
+        """Get rate limit status for an IP.
+
+        Args:
+            ip: Client IP address.
+
+        Returns:
+            Dict with rate limit status information.
+        """
+        with self._lock:
+            tracker = self._trackers.get(ip)
+            if tracker is None:
+                return {
+                    "ip": ip,
+                    "attempts": 0,
+                    "remaining": self._config.max_attempts,
+                    "locked": False,
+                    "locked_until": None,
+                }
+
+            now = time.time()
+            window_start = now - self._config.window_seconds
+            recent = len([t for t in tracker.attempts if t > window_start])
+
+            return {
+                "ip": ip,
+                "attempts": recent,
+                "remaining": max(0, self._config.max_attempts - recent),
+                "locked": tracker.locked_until is not None and now < tracker.locked_until,
+                "locked_until": tracker.locked_until,
+            }
+
+    def clear(self, ip: str | None = None) -> None:
+        """Clear rate limit data.
+
+        Args:
+            ip: Specific IP to clear, or None to clear all.
+        """
+        with self._lock:
+            if ip is None:
+                self._trackers.clear()
+                logger.info("auth_rate_limit_cleared_all")
+            elif ip in self._trackers:
+                del self._trackers[ip]
+                logger.info("auth_rate_limit_cleared", ip=ip)
+
+    def _maybe_cleanup(self, now: float) -> None:
+        """Clean up old entries periodically.
+
+        Called under lock.
+        """
+        if now - self._last_cleanup < self._config.cleanup_interval:
+            return
+
+        self._last_cleanup = now
+        window_start = now - self._config.window_seconds
+
+        # Remove trackers with no recent activity and not locked
+        to_remove = []
+        for ip, tracker in self._trackers.items():
+            # Keep if locked
+            if tracker.locked_until is not None and now < tracker.locked_until:
+                continue
+            # Keep if has recent attempts
+            if any(t > window_start for t in tracker.attempts):
+                continue
+            to_remove.append(ip)
+
+        for ip in to_remove:
+            del self._trackers[ip]
+
+        if to_remove:
+            logger.debug("auth_rate_limit_cleanup", removed_count=len(to_remove))
+
+
+# Global instance for use across the application
+_default_limiter: AuthRateLimiter | None = None
+
+
+def get_auth_rate_limiter() -> AuthRateLimiter:
+    """Get the global auth rate limiter instance.
+
+    Returns:
+        AuthRateLimiter instance.
+    """
+    global _default_limiter
+    if _default_limiter is None:
+        _default_limiter = AuthRateLimiter()
+    return _default_limiter
+
+
+def set_auth_rate_limiter(limiter: AuthRateLimiter) -> None:
+    """Set the global auth rate limiter instance.
+
+    Args:
+        limiter: AuthRateLimiter to use globally.
+    """
+    global _default_limiter
+    _default_limiter = limiter