mcp-proxy-adapter 2.0.1__py3-none-any.whl → 6.9.50__py3-none-any.whl

mcp_proxy_adapter/core/mtls_proxy.py

@@ -0,0 +1,229 @@
+"""
+mTLS Proxy for MCP Proxy Adapter
+
+This module provides mTLS proxy functionality that accepts mTLS connections
+and proxies them to the internal hypercorn server.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import asyncio
+import ssl
+import logging
+from typing import Optional, Dict, Any
+
+from .logging import get_global_logger
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSProxy:
+    """
+    mTLS Proxy that accepts mTLS connections and proxies them to internal server.
+    """
+    
+    def __init__(
+        self,
+                 external_host: str,
+                 external_port: int,
+                 internal_host: str = "127.0.0.1",
+                 internal_port: int = 9000,
+                 cert_file: Optional[str] = None,
+                 key_file: Optional[str] = None,
+        ca_cert: Optional[str] = None,
+    ):
+        """
+        Initialize mTLS Proxy.
+        
+        Args:
+            external_host: External host to bind to
+            external_port: External port to bind to
+            internal_host: Internal server host
+            internal_port: Internal server port
+            cert_file: Server certificate file
+            key_file: Server private key file
+            ca_cert: CA certificate file for client verification
+        """
+        self.external_host = external_host
+        self.external_port = external_port
+        self.internal_host = internal_host
+        self.internal_port = internal_port
+        self.cert_file = cert_file
+        self.key_file = key_file
+        self.ca_cert = ca_cert
+        self.server = None
+        
+    async def start(self):
+        """Start the mTLS proxy server."""
+        try:
+            # Create SSL context
+            ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            ssl_context.load_cert_chain(self.cert_file, self.key_file)
+            
+            if self.ca_cert:
+                ssl_context.load_verify_locations(self.ca_cert)
+                ssl_context.verify_mode = ssl.CERT_REQUIRED
+            else:
+                ssl_context.verify_mode = ssl.CERT_NONE
+                
+            # Start server
+            self.server = await asyncio.start_server(
+                self._handle_client,
+                self.external_host,
+                self.external_port,
+                ssl=ssl_context,
+            )
+            
+            get_global_logger().info(
+                f"🔐 mTLS Proxy started on {self.external_host}:{self.external_port}"
+            )
+            get_global_logger().info(
+                f"🌐 Proxying to {self.internal_host}:{self.internal_port}"
+            )
+            
+        except Exception as e:
+            get_global_logger().error(f"❌ Failed to start mTLS proxy: {e}")
+            raise
+                
+    async def _proxy_data(self, reader, writer, direction):
+        """Proxy data between reader and writer."""
+        try:
+            while True:
+                data = await reader.read(4096)
+                if not data:
+                    break
+                writer.write(data)
+                await writer.drain()
+        except Exception as e:
+            get_global_logger().debug(f"Proxy connection closed ({direction}): {e}")
+        finally:
+            try:
+                writer.close()
+                await writer.wait_closed()
+            except Exception:
+                pass
+
+    async def _handle_client(self, reader, writer):
+        """
+        Handle incoming client connection.
+
+        Args:
+            reader: Client reader stream
+            writer: Client writer stream
+        """
+        internal_reader = None
+        internal_writer = None
+
+        try:
+            # Connect to internal server
+            internal_reader, internal_writer = await asyncio.open_connection(
+                self.internal_host, self.internal_port
+            )
+
+            # Create bidirectional proxy tasks
+            client_to_server = asyncio.create_task(
+                self._proxy_data(reader, internal_writer, "client->server")
+            )
+            server_to_client = asyncio.create_task(
+                self._proxy_data(internal_reader, writer, "server->client")
+            )
+
+            # Wait for either direction to complete
+            done, pending = await asyncio.wait(
+                [client_to_server, server_to_client],
+                return_when=asyncio.FIRST_COMPLETED,
+            )
+
+            # Cancel pending tasks
+            for task in pending:
+                task.cancel()
+
+            # Wait for cancellation
+            await asyncio.gather(*pending, return_exceptions=True)
+
+        except Exception as e:
+            get_global_logger().debug(f"Client connection error: {e}")
+        finally:
+            # Clean up connections
+            if internal_writer:
+                try:
+                    internal_writer.close()
+                    await internal_writer.wait_closed()
+                except Exception:
+                    pass
+            if writer:
+                try:
+                    writer.close()
+                    await writer.wait_closed()
+                except Exception:
+                    pass
+
+
+async def start_mtls_proxy(
+    config: Dict[str, Any], internal_port: Optional[int] = None
+) -> Optional[MTLSProxy]:
+    """
+    Start mTLS proxy from configuration.
+
+    Args:
+        config: Configuration dictionary
+        internal_port: Internal server port (hypercorn port). If not provided,
+                      will be calculated as external_port + 1000
+
+    Returns:
+        MTLSProxy instance if started successfully, None otherwise
+    """
+    try:
+        server_config = config.get("server", {})
+        transport_config = config.get("transport", {})
+        ssl_config = config.get("ssl", {})
+
+        # Get external host and port
+        external_host = server_config.get("host", "0.0.0.0")
+        external_port = server_config.get("port", 8001)
+
+        # Get internal port (use provided or calculate)
+        if internal_port is None:
+            internal_port = external_port + 1000
+
+        # Get certificate paths - try multiple locations
+        cert_file = (
+            ssl_config.get("cert_file")
+            or transport_config.get("ssl", {}).get("cert_file")
+            or transport_config.get("cert_file")
+        )
+        key_file = (
+            ssl_config.get("key_file")
+            or transport_config.get("ssl", {}).get("key_file")
+            or transport_config.get("key_file")
+        )
+        ca_cert = (
+            ssl_config.get("ca_cert")
+            or transport_config.get("ssl", {}).get("ca_cert")
+            or transport_config.get("ca_cert")
+        )
+
+        if not cert_file or not key_file:
+            get_global_logger().warning(
+                "mTLS certificates not found, skipping mTLS proxy"
+            )
+            return None
+
+        # Create and start proxy
+        proxy = MTLSProxy(
+            external_host=external_host,
+            external_port=external_port,
+            internal_host="127.0.0.1",
+            internal_port=internal_port,
+            cert_file=cert_file,
+            key_file=key_file,
+            ca_cert=ca_cert,
+        )
+
+        await proxy.start()
+        return proxy
+
+    except Exception as e:
+        get_global_logger().error(f"Failed to start mTLS proxy: {e}")
+        return None

mcp_proxy_adapter/core/mtls_server.py

@@ -0,0 +1,154 @@
+#!/usr/bin/env python3
+"""
+mTLS Server implementation using built-in http.server.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import threading
+import ssl
+import json
+import logging
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from typing import Optional, Dict, Any
+import os
+
+logger = logging.getLogger(__name__)
+
+
+class mTLSHandler(BaseHTTPRequestHandler):
+    """Handler for mTLS connections."""
+
+    def __init__(self, *args, main_app=None, **kwargs):
+        self.main_app = main_app
+        super().__init__(*args, **kwargs)
+
+
+
+
+    def _forward_to_main_app(
+        self,
+        method: str,
+        path: str,
+        client_cert: Optional[Dict],
+        post_data: Optional[bytes] = None,
+    ) -> Dict[str, Any]:
+        """Forward request to main FastAPI application."""
+        try:
+            # This is a simplified forwarding - in real implementation
+            # you would use httpx or similar to make internal HTTP calls
+            # to the main FastAPI app running on different port
+
+            return {
+                "status": "ok",
+                "message": f"mTLS {method} forwarded to main app",
+                "client_cert": client_cert,
+                "path": path,
+                "forwarded": True,
+            }
+        except Exception as e:
+            get_global_logger().error(f"Error forwarding to main app: {e}")
+            return {
+                "status": "error",
+                "message": f"Forwarding failed: {e}",
+                "client_cert": client_cert,
+                "path": path,
+            }
+
+
+class mTLSServer:
+    """mTLS Server using built-in http.server."""
+
+    def __init__(
+        self,
+        host: str = "127.0.0.1",
+        port: int = 8443,
+        cert_file: str = None,
+        key_file: str = None,
+        ca_cert_file: str = None,
+        main_app=None,
+    ):
+        """
+        Initialize mTLS server.
+
+        Args:
+            host: Server host
+            port: Server port
+            cert_file: Server certificate file
+            key_file: Server private key file
+            ca_cert_file: CA certificate file for client verification
+            main_app: Main FastAPI application for forwarding requests
+        """
+        self.host = host
+        self.port = port
+        self.cert_file = cert_file
+        self.key_file = key_file
+        self.ca_cert_file = ca_cert_file
+        self.main_app = main_app
+
+        self.server: Optional[HTTPServer] = None
+        self.server_thread: Optional[threading.Thread] = None
+        self.running = False
+
+        get_global_logger().info(f"mTLS Server initialized: {host}:{port}")
+
+    def _create_handler(self):
+        """Create handler with main app reference."""
+
+
+        return handler
+
+    def start(self) -> bool:
+        """Start mTLS server in separate thread."""
+        try:
+            # Check if certificate files exist
+            if not os.path.exists(self.cert_file):
+                get_global_logger().error(f"Certificate file not found: {self.cert_file}")
+                return False
+
+            if not os.path.exists(self.key_file):
+                get_global_logger().error(f"Key file not found: {self.key_file}")
+                return False
+
+            if not os.path.exists(self.ca_cert_file):
+                get_global_logger().error(
+                    f"CA certificate file not found: {self.ca_cert_file}"
+                )
+                return False
+
+            # Create server
+            handler_class = self._create_handler()
+            self.server = HTTPServer((self.host, self.port), handler_class)
+
+            # Configure SSL context
+            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            context.load_cert_chain(self.cert_file, self.key_file)
+            context.load_verify_locations(self.ca_cert_file)
+            context.verify_mode = ssl.CERT_REQUIRED
+
+            # Wrap socket with SSL
+            self.server.socket = context.wrap_socket(
+                self.server.socket, server_side=True
+            )
+
+            # Start server in separate thread
+            self.server_thread = threading.Thread(
+                target=self._run_server, daemon=True
+            )
+            self.server_thread.start()
+
+            self.running = True
+            get_global_logger().info(
+                f"✅ mTLS Server started on https://{self.host}:{self.port}"
+            )
+            return True
+
+        except Exception as e:
+            get_global_logger().error(f"Failed to start mTLS server: {e}")
+            return False
+
+
+
+
+

mcp_proxy_adapter/core/protocol_manager.py

@@ -0,0 +1,232 @@
+"""
+Protocol management module for MCP Proxy Adapter.
+
+This module provides functionality for managing and validating protocol configurations,
+including HTTP, HTTPS, and MTLS protocols with their respective ports.
+"""
+
+import ssl
+from urllib.parse import urlparse
+from typing import Dict, List, Any, Optional
+
+from mcp_proxy_adapter.config import config
+from mcp_proxy_adapter.core.logging import get_global_logger
+
+
+class ProtocolManager:
+    """
+    Manages protocol configurations and validates protocol access.
+
+    This class handles the validation of allowed protocols and their associated ports,
+    ensuring that only configured protocols are accessible.
+    """
+
+    def __init__(self, app_config: Optional[Dict] = None):
+        """
+        Initialize the protocol manager.
+
+        Args:
+            app_config: Application configuration dictionary (optional)
+        """
+        self.app_config = app_config
+        self._load_config()
+
+    def _load_config(self):
+        """Load protocol configuration from config."""
+        # Use provided config or fallback to global config; normalize types
+        current_config = (
+            self.app_config if self.app_config is not None else config.get_all()
+        )
+        get_global_logger().debug(
+            f"ProtocolManager._load_config - current_config type: {type(current_config)}"
+        )
+
+        if not hasattr(current_config, "get"):
+            # Not a dict-like config, fallback to global
+            get_global_logger().debug(
+                f"ProtocolManager._load_config - current_config is not dict-like, falling back to global config"
+            )
+            current_config = config.get_all()
+
+        get_global_logger().debug(
+            f"ProtocolManager._load_config - final current_config type: {type(current_config)}"
+        )
+        if hasattr(current_config, "get"):
+            get_global_logger().debug(
+                f"ProtocolManager._load_config - current_config keys: {list(current_config.keys()) if hasattr(current_config, 'keys') else 'no keys'}"
+            )
+
+        # Get server protocol configuration (new simplified structure)
+        get_global_logger().debug(f"ProtocolManager._load_config - before getting server protocol")
+        try:
+            server_config = current_config.get("server", {})
+            server_protocol = server_config.get("protocol", "http")
+            get_global_logger().debug(f"ProtocolManager._load_config - server protocol: {server_protocol}")
+            
+            # Set allowed protocols based on server protocol
+            if server_protocol == "http":
+                self.allowed_protocols = ["http"]
+            elif server_protocol == "https":
+                self.allowed_protocols = ["https"]
+            elif server_protocol == "mtls":
+                self.allowed_protocols = ["mtls", "https"]  # mTLS also supports HTTPS
+            else:
+                # Fallback to HTTP
+                self.allowed_protocols = ["http"]
+                get_global_logger().warning(f"Unknown server protocol '{server_protocol}', defaulting to HTTP")
+                
+            get_global_logger().debug(f"ProtocolManager._load_config - allowed protocols: {self.allowed_protocols}")
+            
+        except Exception as e:
+            get_global_logger().debug(f"ProtocolManager._load_config - ERROR getting server protocol: {e}")
+            # Fallback to HTTP
+            self.allowed_protocols = ["http"]
+
+        # Protocol management is always enabled in new structure
+        self.enabled = True
+
+        get_global_logger().debug(
+            f"Protocol manager loaded config: enabled={self.enabled}, allowed_protocols={self.allowed_protocols}"
+        )
+
+
+
+
+    def is_protocol_allowed(self, protocol: str) -> bool:
+        """
+        Check if a protocol is allowed based on configuration.
+
+        Args:
+            protocol: Protocol name (http, https, mtls)
+
+        Returns:
+            True if protocol is allowed, False otherwise
+        """
+        get_global_logger().debug(f"🔍 ProtocolManager.is_protocol_allowed - protocol: {protocol}")
+        get_global_logger().debug(f"🔍 ProtocolManager.is_protocol_allowed - enabled: {self.enabled}")
+        get_global_logger().debug(f"🔍 ProtocolManager.is_protocol_allowed - allowed_protocols: {self.allowed_protocols}")
+        
+        if not self.enabled:
+            get_global_logger().debug("✅ ProtocolManager.is_protocol_allowed - Protocol management is disabled, allowing all protocols")
+            return True
+
+        protocol_lower = protocol.lower()
+        is_allowed = protocol_lower in self.allowed_protocols
+
+        get_global_logger().debug(f"🔍 ProtocolManager.is_protocol_allowed - Protocol '{protocol}' allowed: {is_allowed}")
+        return is_allowed
+
+
+
+    def get_protocol_config(self, protocol: str) -> Dict:
+        """
+        Get full configuration for a specific protocol.
+
+        Args:
+            protocol: Protocol name (http, https, mtls)
+
+        Returns:
+            Protocol configuration dictionary
+        """
+        protocol_lower = protocol.lower()
+        cfg = self.protocols_config.get(protocol_lower, {})
+        # Ensure dict type
+        if isinstance(cfg, dict):
+            try:
+                return cfg.copy()
+            except Exception:
+                return {}
+        return {}
+
+
+    def get_ssl_context_for_protocol(self, protocol: str) -> Optional[ssl.SSLContext]:
+        """
+        Get SSL context for HTTPS or MTLS protocol.
+
+        Args:
+            protocol: Protocol name (https, mtls)
+
+        Returns:
+            SSL context if protocol requires SSL, None otherwise
+        """
+        if protocol.lower() not in ["https", "mtls"]:
+            return None
+
+        # Use provided config or fallback to global config
+        current_config = (
+            self.app_config if self.app_config is not None else config.get_all()
+        )
+
+        # Get SSL configuration
+        ssl_config = self._get_ssl_config(current_config)
+
+        if not ssl_config.get("enabled", False):
+            get_global_logger().warning(
+                f"SSL required for protocol '{protocol}' but SSL is disabled"
+            )
+            return None
+
+        cert_file = ssl_config.get("cert_file")
+        key_file = ssl_config.get("key_file")
+
+        if not cert_file or not key_file:
+            get_global_logger().warning(
+                f"SSL required for protocol '{protocol}' but certificate files not configured"
+            )
+            return None
+
+        try:
+            from mcp_proxy_adapter.core.ssl_utils import SSLUtils
+
+            ssl_context = SSLUtils.create_ssl_context(
+                cert_file=cert_file,
+                key_file=key_file,
+                ca_cert=ssl_config.get("ca_cert"),
+                verify_client=protocol.lower() == "mtls"
+                or ssl_config.get("verify_client", False),
+                cipher_suites=ssl_config.get("cipher_suites", []),
+                min_tls_version=ssl_config.get("min_tls_version", "1.2"),
+                max_tls_version=ssl_config.get("max_tls_version", "1.3"),
+            )
+
+            get_global_logger().info(f"SSL context created for protocol '{protocol}'")
+            return ssl_context
+
+        except Exception as e:
+            get_global_logger().error(f"Failed to create SSL context for protocol '{protocol}': {e}")
+            return None
+
+    def _get_ssl_config(self, current_config: Dict) -> Dict:
+        """
+        Get SSL configuration from config.
+
+        Args:
+            current_config: Current configuration dictionary
+
+        Returns:
+            SSL configuration dictionary
+        """
+        # Try security framework SSL config first
+        security_config = current_config.get("security", {})
+        ssl_config = security_config.get("ssl", {})
+
+        if ssl_config.get("enabled", False):
+            get_global_logger().debug("Using security.ssl configuration")
+            return ssl_config
+
+        # Fallback to legacy SSL config
+        legacy_ssl_config = current_config.get("ssl", {})
+        if legacy_ssl_config.get("enabled", False):
+            get_global_logger().debug("Using legacy ssl configuration")
+            return legacy_ssl_config
+
+        # Return empty config if SSL is disabled
+        return {"enabled": False}
+
+
+
+
+# Global protocol manager instance - will be updated with config when needed
+protocol_manager = None
+
+

mcp_proxy_adapter/core/proxy/__init__.py

@@ -0,0 +1,19 @@
+"""
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+
+Proxy registration package for MCP Proxy Adapter.
+"""
+
+from .proxy_registration_manager import ProxyRegistrationManager, ProxyRegistrationError
+from .auth_manager import AuthManager
+from .ssl_manager import SSLManager
+from .registration_client import RegistrationClient
+
+__all__ = [
+    "ProxyRegistrationManager",
+    "ProxyRegistrationError",
+    "AuthManager",
+    "SSLManager",
+    "RegistrationClient",
+]

mcp_proxy_adapter/core/proxy/auth_manager.py

@@ -0,0 +1,26 @@
+"""
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+
+Authentication management for proxy registration.
+"""
+
+from typing import Dict, Any
+
+from mcp_proxy_adapter.core.logging import get_global_logger
+
+
+class AuthManager:
+    """Manager for authentication in proxy registration."""
+
+    def __init__(self, client_security, registration_config: Dict[str, Any]):
+        """
+        Initialize authentication manager.
+
+        Args:
+            client_security: Client security manager instance
+            registration_config: Registration configuration
+        """
+        self.client_security = client_security
+        self.registration_config = registration_config
+        self.logger = get_global_logger()