mcp-proxy-adapter 2.0.1__py3-none-any.whl → 6.9.50__py3-none-any.whl

mcp_proxy_adapter/core/ssl_utils.py

@@ -0,0 +1,161 @@
+"""
+SSL Utilities Module
+
+This module provides utilities for SSL/TLS configuration and certificate validation.
+Integrates with AuthValidator from Phase 0 for certificate validation.
+Supports CRL (Certificate Revocation List) validation.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+Version: 1.0.0
+"""
+
+import ssl
+import logging
+from typing import List, Optional, Dict, Any
+from pathlib import Path
+
+from .auth_validator import AuthValidator
+from .crl_utils import CRLManager
+
+logger = logging.getLogger(__name__)
+
+
+class SSLUtils:
+    """
+    SSL utilities for creating SSL contexts and validating certificates.
+    """
+
+    # TLS version mapping
+    TLS_VERSIONS = {
+        "1.0": ssl.TLSVersion.TLSv1,
+        "1.1": ssl.TLSVersion.TLSv1_1,
+        "1.2": ssl.TLSVersion.TLSv1_2,
+        "1.3": ssl.TLSVersion.TLSv1_3,
+    }
+
+    # Cipher suite mapping
+    CIPHER_SUITES = {
+        "TLS_AES_256_GCM_SHA384": "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256": "TLS_CHACHA20_POLY1305_SHA256",
+        "TLS_AES_128_GCM_SHA256": "TLS_AES_128_GCM_SHA256",
+        "ECDHE-RSA-AES256-GCM-SHA384": "ECDHE-RSA-AES256-GCM-SHA384",
+        "ECDHE-RSA-AES128-GCM-SHA256": "ECDHE-RSA-AES128-GCM-SHA256",
+        "ECDHE-RSA-CHACHA20-POLY1305": "ECDHE-RSA-CHACHA20-POLY1305",
+    }
+
+    @staticmethod
+
+    @staticmethod
+    def validate_certificate(
+        cert_file: str, crl_config: Optional[Dict[str, Any]] = None
+    ) -> bool:
+        """
+        Validate certificate using AuthValidator and optional CRL check.
+
+        Args:
+            cert_file: Path to certificate file
+            crl_config: CRL configuration dictionary (optional)
+
+        Returns:
+            True if certificate is valid, False otherwise
+        """
+        try:
+            validator = AuthValidator()
+            result = validator.validate_certificate(cert_file)
+            if not result.is_valid:
+                return False
+
+            # Check CRL if configured
+            if crl_config:
+                try:
+                    crl_manager = CRLManager(crl_config)
+                    if crl_manager.is_certificate_revoked(cert_file):
+                        get_global_logger().warning(
+                            f"Certificate is revoked according to CRL: {cert_file}"
+                        )
+                        return False
+                except Exception as e:
+                    get_global_logger().error(f"CRL check failed: {e}")
+                    # For security, consider certificate invalid if CRL check fails
+                    return False
+
+            return True
+        except Exception as e:
+            get_global_logger().error(f"Certificate validation failed: {e}")
+            return False
+
+    @staticmethod
+    def setup_cipher_suites(context: ssl.SSLContext, cipher_suites: List[str]) -> None:
+        """
+        Setup cipher suites for SSL context.
+
+        Args:
+            context: SSL context to configure
+            cipher_suites: List of cipher suite names
+        """
+        if not cipher_suites:
+            return
+
+        # Convert cipher suite names to actual cipher suite strings
+        actual_ciphers = []
+        for cipher_name in cipher_suites:
+            if cipher_name in SSLUtils.CIPHER_SUITES:
+                actual_ciphers.append(SSLUtils.CIPHER_SUITES[cipher_name])
+            else:
+                get_global_logger().warning(f"Unknown cipher suite: {cipher_name}")
+
+        if actual_ciphers:
+            try:
+                context.set_ciphers(":".join(actual_ciphers))
+                get_global_logger().info(f"Cipher suites configured: {actual_ciphers}")
+            except ssl.SSLError as e:
+                get_global_logger().error(f"Failed to set cipher suites: {e}")
+
+    @staticmethod
+    def setup_tls_versions(
+        context: ssl.SSLContext, min_version: str, max_version: str
+    ) -> None:
+        """
+        Setup TLS version range for SSL context.
+
+        Args:
+            context: SSL context to configure
+            min_version: Minimum TLS version
+            max_version: Maximum TLS version
+        """
+        try:
+            min_tls = SSLUtils.TLS_VERSIONS.get(min_version)
+            max_tls = SSLUtils.TLS_VERSIONS.get(max_version)
+
+            if min_tls and max_tls:
+                context.minimum_version = min_tls
+                context.maximum_version = max_tls
+                get_global_logger().info(f"TLS versions configured: {min_version} - {max_version}")
+            else:
+                get_global_logger().warning(
+                    f"Invalid TLS version range: {min_version} - {max_version}"
+                )
+        except Exception as e:
+            get_global_logger().error(f"Failed to set TLS versions: {e}")
+
+    @staticmethod
+    def create_ssl_context(
+        cert_file: Optional[str] = None,
+        key_file: Optional[str] = None,
+        ca_file: Optional[str] = None,
+        verify_mode: int = ssl.CERT_REQUIRED,
+        check_hostname: bool = True,
+    ) -> ssl.SSLContext:
+        """Create SSL context with proper configuration."""
+        context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        context.check_hostname = check_hostname
+        context.verify_mode = verify_mode
+        
+        if cert_file and key_file:
+            context.load_cert_chain(cert_file, key_file)
+        
+        if ca_file:
+            context.load_verify_locations(ca_file)
+            
+        return context

mcp_proxy_adapter/core/transport_manager.py

@@ -0,0 +1,153 @@
+"""
+Transport manager module.
+
+This module provides transport management functionality for the MCP Proxy Adapter.
+"""
+
+from typing import Dict, Any, Optional
+from dataclasses import dataclass
+from enum import Enum
+from pathlib import Path
+
+from mcp_proxy_adapter.core.logging import get_global_logger
+
+
+class TransportType(Enum):
+    """Transport types enumeration."""
+
+    HTTP = "http"
+    HTTPS = "https"
+    MTLS = "mtls"
+
+
+@dataclass
+class TransportConfig:
+    """Transport configuration data class."""
+
+    type: TransportType
+    port: Optional[int]
+    ssl_enabled: bool
+    cert_file: Optional[str]
+    key_file: Optional[str]
+    ca_cert: Optional[str]
+    verify_client: bool
+    client_cert_required: bool
+
+
+class TransportManager:
+    """
+    Transport manager for handling different transport types.
+
+    This class manages transport configuration and provides utilities
+    for determining ports and SSL settings based on transport type.
+    """
+
+    # Default ports for transport types
+    DEFAULT_PORTS = {
+        TransportType.HTTP: 8000,
+        TransportType.HTTPS: 8443,
+        TransportType.MTLS: 9443,
+    }
+
+    def __init__(self):
+        """Initialize transport manager."""
+        self._config: Optional[TransportConfig] = None
+        self._current_transport: Optional[TransportType] = None
+
+
+
+    def get_port(self) -> Optional[int]:
+        """
+        Get configured port.
+
+        Returns:
+            Port number or None if not configured
+        """
+        return self._config.port if self._config else None
+
+    def is_ssl_enabled(self) -> bool:
+        """
+        Check if SSL is enabled.
+
+        Returns:
+            True if SSL is enabled, False otherwise
+        """
+        return self._config.ssl_enabled if self._config else False
+
+    def get_ssl_config(self) -> Optional[Dict[str, Any]]:
+        """
+        Get SSL configuration.
+
+        Returns:
+            SSL configuration dict or None if SSL not enabled
+        """
+        if not self._config or not self._config.ssl_enabled:
+            return None
+
+        return {
+            "cert_file": self._config.cert_file,
+            "key_file": self._config.key_file,
+            "ca_cert": self._config.ca_cert,
+            "verify_client": self._config.verify_client,
+            "client_cert_required": self._config.client_cert_required,
+        }
+
+    def is_mtls(self) -> bool:
+        """
+        Check if current transport is MTLS.
+
+        Returns:
+            True if MTLS transport, False otherwise
+        """
+        return self._current_transport == TransportType.MTLS
+
+    def is_https(self) -> bool:
+        """
+        Check if current transport is HTTPS.
+
+        Returns:
+            True if HTTPS transport, False otherwise
+        """
+        return self._current_transport == TransportType.HTTPS
+
+    def is_http(self) -> bool:
+        """
+        Check if current transport is HTTP.
+
+        Returns:
+            True if HTTP transport, False otherwise
+        """
+        return self._current_transport == TransportType.HTTP
+
+
+
+    def validate_ssl_files(self) -> bool:
+        """
+        Check if SSL files exist.
+
+        Returns:
+            True if all SSL files exist, False otherwise
+        """
+        if not self._config or not self._config.ssl_enabled:
+            return True
+
+        files_to_check = []
+        if self._config.cert_file:
+            files_to_check.append(self._config.cert_file)
+        if self._config.key_file:
+            files_to_check.append(self._config.key_file)
+        if self._config.ca_cert:
+            files_to_check.append(self._config.ca_cert)
+
+        for file_path in files_to_check:
+            if not Path(file_path).exists():
+                get_global_logger().error(f"SSL file not found: {file_path}")
+                return False
+
+        get_global_logger().info(f"All SSL files validated successfully: {files_to_check}")
+        return True
+
+
+
+# Global transport manager instance
+transport_manager = TransportManager()