mcp-proxy-adapter 4.1.0__py3-none-any.whl → 6.0.0__py3-none-any.whl

mcp_proxy_adapter/__main__.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+"""
+Main entry point for MCP Proxy Adapter.
+
+This module allows running the MCP Proxy Adapter as a module:
+    python -m mcp_proxy_adapter
+"""
+
+from mcp_proxy_adapter.main import main
+
+if __name__ == "__main__":
+    main()

mcp_proxy_adapter/api/app.py

@@ -3,6 +3,7 @@ Module for FastAPI application setup.
 """
 
 import json
+import ssl
 from typing import Any, Dict, List, Optional, Union
 from contextlib import asynccontextmanager
 
@@ -17,6 +18,7 @@ from mcp_proxy_adapter.api.tools import get_tool_description, execute_tool
 from mcp_proxy_adapter.config import config
 from mcp_proxy_adapter.core.errors import MicroserviceError, NotFoundError
 from mcp_proxy_adapter.core.logging import logger, RequestLogger
+from mcp_proxy_adapter.core.ssl_utils import SSLUtils
 from mcp_proxy_adapter.commands.command_registry import registry
 from mcp_proxy_adapter.custom_openapi import custom_openapi_with_fallback
 
@@ -28,25 +30,91 @@ async def lifespan(app: FastAPI):
     """
     # Startup events
     from mcp_proxy_adapter.commands.command_registry import registry
-    from mcp_proxy_adapter.commands.help_command import HelpCommand
-    from mcp_proxy_adapter.commands.health_command import HealthCommand
+    from mcp_proxy_adapter.core.proxy_registration import register_with_proxy, unregister_from_proxy
     
-    # Register built-in commands if they don't exist (user can override them)
-    if not registry.command_exists("help"):
-        registry.register(HelpCommand)
+    # Initialize system using unified logic
+    # This will load config, register custom commands, and discover auto-commands
+    init_result = await registry.reload_system()
     
-    if not registry.command_exists("health"):
-        registry.register(HealthCommand)
+    logger.info(f"Application started with {init_result['total_commands']} commands registered")
+    logger.info(f"System initialization result: {init_result}")
     
-    # Discover and register additional commands automatically
-    registry.discover_commands()
+    # Register with proxy if enabled
+    server_config = config.get("server", {})
+    server_host = server_config.get("host", "0.0.0.0")
+    server_port = server_config.get("port", 8000)
     
-    logger.info(f"Application started with {len(registry.get_all_commands())} commands registered")
+    # Determine server URL based on SSL configuration
+    ssl_config = config.get("ssl", {})
+    if ssl_config.get("enabled", False):
+        protocol = "https"
+    else:
+        protocol = "http"
+    
+    # Use localhost for external access if host is 0.0.0.0
+    if server_host == "0.0.0.0":
+        server_host = "localhost"
+    
+    server_url = f"{protocol}://{server_host}:{server_port}"
+    
+    # Attempt proxy registration
+    registration_success = await register_with_proxy(server_url)
+    if registration_success:
+        logger.info("✅ Proxy registration completed successfully")
+    else:
+                    logger.info("ℹ️ Proxy registration is disabled or failed")
     
     yield  # Application is running
     
     # Shutdown events
     logger.info("Application shutting down")
+    
+    # Unregister from proxy if enabled
+    unregistration_success = await unregister_from_proxy()
+    if unregistration_success:
+        logger.info("✅ Proxy unregistration completed successfully")
+    else:
+        logger.warning("⚠️ Proxy unregistration failed or was disabled")
+
+
+def create_ssl_context() -> Optional[ssl.SSLContext]:
+    """
+    Create SSL context based on configuration.
+    
+    Returns:
+        SSL context if SSL is enabled and properly configured, None otherwise
+    """
+    ssl_config = config.get("ssl", {})
+    
+    if not ssl_config.get("enabled", False):
+        logger.info("SSL is disabled in configuration")
+        return None
+    
+    cert_file = ssl_config.get("cert_file")
+    key_file = ssl_config.get("key_file")
+    
+    if not cert_file or not key_file:
+        logger.warning("SSL enabled but certificate or key file not specified")
+        return None
+    
+    try:
+        # Create SSL context using SSLUtils
+        ssl_context = SSLUtils.create_ssl_context(
+            cert_file=cert_file,
+            key_file=key_file,
+            ca_cert=ssl_config.get("ca_cert"),
+            verify_client=ssl_config.get("verify_client", False),
+            cipher_suites=ssl_config.get("cipher_suites", []),
+            min_tls_version=ssl_config.get("min_tls_version", "1.2"),
+            max_tls_version=ssl_config.get("max_tls_version", "1.3")
+        )
+        
+        logger.info(f"SSL context created successfully for mode: {ssl_config.get('mode', 'https_only')}")
+        return ssl_context
+        
+    except Exception as e:
+        logger.error(f"Failed to create SSL context: {e}")
+        return None
 
 
 def create_app(title: Optional[str] = None, description: Optional[str] = None, version: Optional[str] = None) -> FastAPI:
@@ -60,7 +128,66 @@ def create_app(title: Optional[str] = None, description: Optional[str] = None, v
 
     Returns:
         Configured FastAPI application.
+        
+    Raises:
+        SystemExit: If authentication is enabled but required files are missing (security issue)
     """
+    # Security check: Validate all authentication configurations before startup
+    security_errors = []
+    
+    # Check roles configuration
+    roles_config = config.get("roles", {})
+    if roles_config.get("enabled", False):
+        roles_config_path = roles_config.get("config_file", "schemas/roles_schema.json")
+        from pathlib import Path
+        if not Path(roles_config_path).exists():
+            security_errors.append(f"Roles are enabled but schema file not found: {roles_config_path}")
+    
+    # Check SSL configuration
+    ssl_config = config.get("ssl", {})
+    if ssl_config.get("enabled", False):
+        # Check SSL certificate files
+        cert_file = ssl_config.get("cert_file")
+        key_file = ssl_config.get("key_file")
+        
+        if cert_file and not Path(cert_file).exists():
+            security_errors.append(f"SSL is enabled but certificate file not found: {cert_file}")
+        
+        if key_file and not Path(key_file).exists():
+            security_errors.append(f"SSL is enabled but private key file not found: {key_file}")
+        
+        # Check mTLS configuration
+        if ssl_config.get("mode") == "mtls":
+            ca_cert = ssl_config.get("ca_cert")
+            if ca_cert and not Path(ca_cert).exists():
+                security_errors.append(f"mTLS is enabled but CA certificate file not found: {ca_cert}")
+    
+    # Check token authentication configuration
+    token_auth_config = ssl_config.get("token_auth", {})
+    if token_auth_config.get("enabled", False):
+        tokens_file = token_auth_config.get("tokens_file", "tokens.json")
+        if not Path(tokens_file).exists():
+            security_errors.append(f"Token authentication is enabled but tokens file not found: {tokens_file}")
+    
+    # Check general authentication
+    if config.get("auth_enabled", False):
+        # If auth is enabled, check if any authentication method is properly configured
+        ssl_enabled = ssl_config.get("enabled", False)
+        roles_enabled = roles_config.get("enabled", False)
+        token_auth_enabled = token_auth_config.get("enabled", False)
+        
+        if not (ssl_enabled or roles_enabled or token_auth_enabled):
+            security_errors.append("Authentication is enabled but no authentication method is properly configured")
+    
+    # If there are security errors, block startup
+    if security_errors:
+        logger.critical("CRITICAL SECURITY ERROR: Authentication configuration issues detected:")
+        for error in security_errors:
+            logger.critical(f"  - {error}")
+        logger.critical("Server startup blocked for security reasons.")
+        logger.critical("Please fix authentication configuration or disable authentication features.")
+        raise SystemExit(1)
+    
     # Use provided parameters or defaults
     app_title = title or "MCP Proxy Adapter"
     app_description = description or "JSON-RPC API for interacting with MCP Proxy"
@@ -186,7 +313,7 @@ def create_app(title: Optional[str] = None, description: Optional[str] = None, v
             command_name = command_data["command"]
             params = command_data.get("params", {})
             
-            req_logger.info(f"Executing command via /cmd: {command_name}, params: {params}")
+            req_logger.debug(f"Executing command via /cmd: {command_name}, params: {params}")
             
             # Check if command exists
             if not registry.command_exists(command_name):

mcp_proxy_adapter/api/handlers.py

@@ -39,17 +39,32 @@ async def execute_command(command_name: str, params: Dict[str, Any], request_id:
     try:
         log.info(f"Executing command: {command_name}")
         
+        # Execute before command hooks
+        try:
+            from mcp_proxy_adapter.commands.hooks import hooks
+            hooks.execute_before_command_hooks(command_name, params)
+            log.debug(f"Executed before command hooks for: {command_name}")
+        except Exception as e:
+            log.warning(f"Failed to execute before command hooks: {e}")
+        
         # Get command class from registry and execute with parameters
         start_time = time.time()
         
         # Use Command.run that handles instances with dependencies properly
-        command_class = registry.get_command_with_priority(command_name)
+        command_class = registry.get_command(command_name)
         result = await command_class.run(**params)
         
         execution_time = time.time() - start_time
         
         log.info(f"Command '{command_name}' executed in {execution_time:.3f} sec")
         
+        # Execute after command hooks
+        try:
+            hooks.execute_after_command_hooks(command_name, params, result)
+            log.debug(f"Executed after command hooks for: {command_name}")
+        except Exception as e:
+            log.warning(f"Failed to execute after command hooks: {e}")
+        
         # Return result
         return result.to_dict()
     except NotFoundError as e:

mcp_proxy_adapter/api/middleware/__init__.py

@@ -6,44 +6,45 @@ This package contains middleware components for request processing.
 from fastapi import FastAPI
 
 from mcp_proxy_adapter.core.logging import logger
+from mcp_proxy_adapter.config import config
 from .base import BaseMiddleware
-from .logging import LoggingMiddleware
-from .error_handling import ErrorHandlingMiddleware
-from .auth import AuthMiddleware
-from .rate_limit import RateLimitMiddleware
-from .performance import PerformanceMiddleware
+from .factory import MiddlewareFactory
+from .protocol_middleware import setup_protocol_middleware
 
 def setup_middleware(app: FastAPI) -> None:
     """
-    Sets up middleware for application.
+    Sets up middleware for application using the new middleware factory.
 
     Args:
         app: FastAPI application instance.
     """
-    # Add error handling middleware first (last to execute)
-    app.add_middleware(ErrorHandlingMiddleware)
+    # Create middleware factory
+    factory = MiddlewareFactory(app, config.get_all())
     
-    # Add logging middleware
-    app.add_middleware(LoggingMiddleware)
+    # Validate middleware configuration
+    if not factory.validate_middleware_config():
+        logger.error("Middleware configuration validation failed")
+        raise SystemExit(1)
     
-    # Add rate limiting middleware if configured
-    from mcp_proxy_adapter.config import config
-    if config.get("rate_limit_enabled", False):
-        app.add_middleware(
-            RateLimitMiddleware,
-            rate_limit=config.get("rate_limit", 100),
-            time_window=config.get("rate_limit_window", 60)
-        )
+    logger.info("Using unified security middleware")
+    middleware_list = factory.create_all_middleware()
     
-    # Добавляем authentication middleware с явным указанием auth_enabled
-    auth_enabled = config.get("auth_enabled", False)
-    app.add_middleware(
-        AuthMiddleware,
-        api_keys=config.get("api_keys", {}),
-        auth_enabled=auth_enabled
-    )
-
-    # Add performance middleware
-    app.add_middleware(PerformanceMiddleware)
+    # Add middleware to application
+    for middleware in middleware_list:
+        # For ASGI middleware, we need to wrap the application
+        if hasattr(middleware, 'dispatch'):
+            # This is a proper ASGI middleware
+            app.middleware("http")(middleware.dispatch)
+        else:
+            logger.warning(f"Middleware {middleware.__class__.__name__} doesn't have dispatch method")
+    
+    # Add protocol middleware (always needed)
+    setup_protocol_middleware(app)
     
-    logger.info(f"Middleware setup completed. Auth enabled: {auth_enabled}") 
+    # Log middleware information
+    middleware_info = factory.get_middleware_info()
+    logger.info(f"Middleware setup completed:")
+    logger.info(f"  - Total middleware: {middleware_info['total_middleware']}")
+    logger.info(f"  - Types: {', '.join(middleware_info['middleware_types'])}")
+    logger.info(f"  - Security enabled: {middleware_info['security_enabled']}")
+ 

mcp_proxy_adapter/api/middleware/auth_adapter.py

@@ -0,0 +1,235 @@
+"""
+Auth Middleware Adapter for backward compatibility.
+
+This module provides an adapter that maintains the same interface as AuthMiddleware
+while using the new SecurityMiddleware internally.
+"""
+
+import json
+from typing import Dict, List, Optional, Callable, Awaitable
+
+from fastapi import Request, Response
+from starlette.responses import JSONResponse
+
+from mcp_proxy_adapter.core.logging import logger
+from .base import BaseMiddleware
+from .security import SecurityMiddleware
+
+
+class AuthMiddlewareAdapter(BaseMiddleware):
+    """
+    Adapter for AuthMiddleware that uses SecurityMiddleware internally.
+    
+    Maintains the same interface as the original AuthMiddleware for backward compatibility.
+    """
+    
+    def __init__(self, app, api_keys: Dict[str, str] = None, 
+                 public_paths: List[str] = None, auth_enabled: bool = True):
+        """
+        Initialize auth middleware adapter.
+        
+        Args:
+            app: FastAPI application
+            api_keys: Dictionary with API keys (key: username)
+            public_paths: List of paths accessible without authentication
+            auth_enabled: Flag to enable/disable authentication
+        """
+        super().__init__(app)
+        
+        # Store original parameters for backward compatibility
+        self.api_keys = api_keys or {}
+        self.public_paths = public_paths or [
+            "/docs", 
+            "/redoc", 
+            "/openapi.json", 
+            "/health"
+        ]
+        self.auth_enabled = auth_enabled
+        
+        # Create internal security middleware
+        self.security_middleware = self._create_security_middleware()
+        
+        logger.info(f"AuthMiddlewareAdapter initialized: auth_enabled={auth_enabled}, "
+                   f"api_keys_count={len(self.api_keys)}, public_paths_count={len(self.public_paths)}")
+    
+    def _create_security_middleware(self) -> SecurityMiddleware:
+        """
+        Create internal SecurityMiddleware with AuthMiddleware configuration.
+        
+        Returns:
+            SecurityMiddleware instance
+        """
+        # Convert AuthMiddleware config to SecurityMiddleware config
+        security_config = {
+            "security": {
+                "enabled": self.auth_enabled,
+                "auth": {
+                    "enabled": self.auth_enabled,
+                    "methods": ["api_key"],
+                    "api_keys": self.api_keys
+                },
+                "ssl": {
+                    "enabled": False
+                },
+                "permissions": {
+                    "enabled": False
+                },
+                "rate_limit": {
+                    "enabled": False
+                },
+                "public_paths": self.public_paths
+            }
+        }
+        
+        return SecurityMiddleware(self.app, security_config)
+    
+    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Process request using internal SecurityMiddleware with legacy API key handling.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        # Check if authentication is disabled
+        if not self.auth_enabled:
+            logger.debug("Authentication is disabled, skipping authentication check")
+            return await call_next(request)
+        
+        # Check if path is public
+        path = request.url.path
+        if self._is_public_path(path):
+            return await call_next(request)
+        
+        # Extract API key from various sources (legacy compatibility)
+        api_key = self._extract_api_key(request)
+        
+        # Check for API key in JSON-RPC request body if not found in headers/query
+        if not api_key and request.method in ["POST", "PUT", "PATCH"]:
+            try:
+                body = await request.body()
+                if body:
+                    try:
+                        body_json = json.loads(body.decode("utf-8"))
+                        # Look for API key in params of JSON-RPC object
+                        if isinstance(body_json, dict) and "params" in body_json:
+                            api_key = body_json.get("params", {}).get("api_key")
+                    except json.JSONDecodeError:
+                        pass
+            except Exception:
+                pass
+        
+        if api_key:
+            # Validate API key
+            username = self._validate_api_key(api_key)
+            if username:
+                # Store username in request state for backward compatibility
+                request.state.username = username
+                logger.debug(f"API key authentication successful for {username}")
+                return await call_next(request)
+            else:
+                logger.warning(f"Invalid API key provided | Path: {path}")
+                return self._create_error_response("Invalid API key", 401)
+        else:
+            logger.warning(f"API key not provided | Path: {path}")
+            return self._create_error_response("API key not provided", 401)
+    
+    def _extract_api_key(self, request: Request) -> Optional[str]:
+        """
+        Extract API key from request (legacy compatibility).
+        
+        Args:
+            request: Request object
+            
+        Returns:
+            API key or None
+        """
+        # Check for API key in header
+        api_key = request.headers.get("X-API-Key")
+        
+        if not api_key:
+            # Check for API key in query parameters
+            api_key = request.query_params.get("api_key")
+        
+        # Note: Body extraction is handled in dispatch method
+        # This method only handles headers and query parameters
+        
+        return api_key
+    
+    def _is_public_path(self, path: str) -> bool:
+        """
+        Check if the path is public (doesn't require authentication).
+        
+        Args:
+            path: Request path
+            
+        Returns:
+            True if path is public, False otherwise
+        """
+        return any(path.startswith(public_path) for public_path in self.public_paths)
+    
+    def _validate_api_key(self, api_key: str) -> Optional[str]:
+        """
+        Validate API key and return username.
+        
+        Args:
+            api_key: API key to validate
+            
+        Returns:
+            Username if valid, None otherwise
+        """
+        return self.api_keys.get(api_key)
+    
+    def _create_error_response(self, message: str, status_code: int) -> JSONResponse:
+        """
+        Create error response in AuthMiddleware format.
+        
+        Args:
+            message: Error message
+            status_code: HTTP status code
+            
+        Returns:
+            JSONResponse with error
+        """
+        return JSONResponse(
+            status_code=status_code,
+            content={
+                "jsonrpc": "2.0",
+                "error": {
+                    "code": -32000 if status_code == 401 else -32603,
+                    "message": message,
+                    "data": {
+                        "auth_type": "api_key",
+                        "status_code": status_code
+                    }
+                },
+                "id": None
+            }
+        )
+    
+    def get_username(self, request: Request) -> Optional[str]:
+        """
+        Get username from request state (backward compatibility).
+        
+        Args:
+            request: Request object
+            
+        Returns:
+            Username or None
+        """
+        return getattr(request.state, 'username', None)
+    
+    def is_authenticated(self, request: Request) -> bool:
+        """
+        Check if request is authenticated (backward compatibility).
+        
+        Args:
+            request: Request object
+            
+        Returns:
+            True if authenticated, False otherwise
+        """
+        return hasattr(request.state, 'username') and request.state.username is not None

mcp_proxy_adapter/api/middleware/error_handling.py

@@ -17,6 +17,15 @@ class ErrorHandlingMiddleware(BaseMiddleware):
     Middleware for handling and formatting errors.
     """
     
+    def __init__(self, app):
+        """
+        Initialize error handling middleware.
+        
+        Args:
+            app: FastAPI application
+        """
+        super().__init__(app)
+    
     async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
         """
         Processes request and catches errors.