mcp-proxy-adapter 4.1.0__py3-none-any.whl → 6.0.0__py3-none-any.whl

mcp_proxy_adapter/core/config_converter.py

@@ -0,0 +1,405 @@
+"""
+Configuration Converter for security framework integration.
+
+This module provides utilities to convert between mcp_proxy_adapter configuration
+format and mcp_security_framework configuration format, ensuring backward compatibility.
+"""
+
+import json
+import logging
+from typing import Dict, Any, Optional
+from pathlib import Path
+
+from mcp_proxy_adapter.core.logging import logger
+
+
+class ConfigConverter:
+    """
+    Converter for configuration formats.
+    
+    Provides methods to convert between mcp_proxy_adapter configuration
+    and mcp_security_framework configuration formats.
+    """
+    
+    @staticmethod
+    def to_security_framework_config(mcp_config: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Convert mcp_proxy_adapter configuration to SecurityConfig format.
+        
+        Args:
+            mcp_config: mcp_proxy_adapter configuration dictionary
+            
+        Returns:
+            SecurityConfig compatible dictionary
+        """
+        try:
+            # Start with default security framework config
+            security_config = {
+                "auth": {
+                    "enabled": True,
+                    "methods": ["api_key"],
+                    "api_keys": {},
+                    "jwt_secret": "",
+                    "jwt_algorithm": "HS256"
+                },
+                "ssl": {
+                    "enabled": False,
+                    "cert_file": None,
+                    "key_file": None,
+                    "ca_cert": None,
+                    "min_tls_version": "TLSv1.2",
+                    "verify_client": False,
+                    "client_cert_required": False
+                },
+                "permissions": {
+                    "enabled": True,
+                    "roles_file": "roles.json",
+                    "default_role": "user",
+                    "deny_by_default": True
+                },
+                "rate_limit": {
+                    "enabled": True,
+                    "requests_per_minute": 60,
+                    "requests_per_hour": 1000,
+                    "burst_limit": 10,
+                    "by_ip": True,
+                    "by_user": True
+                }
+            }
+            
+            # Convert from security section if exists
+            if "security" in mcp_config:
+                security_section = mcp_config["security"]
+                
+                # Convert auth config
+                if "auth" in security_section:
+                    auth_config = security_section["auth"]
+                    security_config["auth"].update({
+                        "enabled": auth_config.get("enabled", True),
+                        "methods": auth_config.get("methods", ["api_key"]),
+                        "api_keys": auth_config.get("api_keys", {}),
+                        "jwt_secret": auth_config.get("jwt_secret", ""),
+                        "jwt_algorithm": auth_config.get("jwt_algorithm", "HS256")
+                    })
+                
+                # Convert SSL config
+                if "ssl" in security_section:
+                    ssl_config = security_section["ssl"]
+                    security_config["ssl"].update({
+                        "enabled": ssl_config.get("enabled", False),
+                        "cert_file": ssl_config.get("cert_file"),
+                        "key_file": ssl_config.get("key_file"),
+                        "ca_cert": ssl_config.get("ca_cert"),
+                        "min_tls_version": ssl_config.get("min_tls_version", "TLSv1.2"),
+                        "verify_client": ssl_config.get("verify_client", False),
+                        "client_cert_required": ssl_config.get("client_cert_required", False)
+                    })
+                
+                # Convert permissions config
+                if "permissions" in security_section:
+                    permissions_config = security_section["permissions"]
+                    security_config["permissions"].update({
+                        "enabled": permissions_config.get("enabled", True),
+                        "roles_file": permissions_config.get("roles_file", "roles.json"),
+                        "default_role": permissions_config.get("default_role", "user"),
+                        "deny_by_default": permissions_config.get("deny_by_default", True)
+                    })
+                
+                # Convert rate limit config
+                if "rate_limit" in security_section:
+                    rate_limit_config = security_section["rate_limit"]
+                    security_config["rate_limit"].update({
+                        "enabled": rate_limit_config.get("enabled", True),
+                        "requests_per_minute": rate_limit_config.get("requests_per_minute", 60),
+                        "requests_per_hour": rate_limit_config.get("requests_per_hour", 1000),
+                        "burst_limit": rate_limit_config.get("burst_limit", 10),
+                        "by_ip": rate_limit_config.get("by_ip", True),
+                        "by_user": rate_limit_config.get("by_user", True)
+                    })
+            
+            # Convert from legacy SSL config if security section doesn't exist
+            elif "ssl" in mcp_config:
+                ssl_config = mcp_config["ssl"]
+                security_config["ssl"].update({
+                    "enabled": ssl_config.get("enabled", False),
+                    "cert_file": ssl_config.get("cert_file"),
+                    "key_file": ssl_config.get("key_file"),
+                    "ca_cert": ssl_config.get("ca_cert"),
+                    "min_tls_version": ssl_config.get("min_tls_version", "TLSv1.2"),
+                    "verify_client": ssl_config.get("verify_client", False),
+                    "client_cert_required": ssl_config.get("client_cert_required", False)
+                })
+                
+                # Extract API keys from legacy SSL config
+                if "api_keys" in ssl_config:
+                    security_config["auth"]["api_keys"] = ssl_config["api_keys"]
+            
+            # Convert from legacy roles config
+            if "roles" in mcp_config:
+                roles_config = mcp_config["roles"]
+                security_config["permissions"].update({
+                    "enabled": roles_config.get("enabled", True),
+                    "roles_file": roles_config.get("config_file", "roles.json"),
+                    "default_role": "user",
+                    "deny_by_default": roles_config.get("default_policy", {}).get("deny_by_default", True)
+                })
+            
+            logger.info("Configuration converted to security framework format successfully")
+            return security_config
+            
+        except Exception as e:
+            logger.error(f"Failed to convert configuration to security framework format: {e}")
+            return ConfigConverter._get_default_security_config()
+    
+    @staticmethod
+    def from_security_framework_config(security_config: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Convert SecurityConfig format to mcp_proxy_adapter configuration.
+        
+        Args:
+            security_config: SecurityConfig compatible dictionary
+            
+        Returns:
+            mcp_proxy_adapter configuration dictionary
+        """
+        try:
+            mcp_config = {
+                "security": {
+                    "framework": "mcp_security_framework",
+                    "enabled": True
+                }
+            }
+            
+            # Convert auth config
+            if "auth" in security_config:
+                auth_config = security_config["auth"]
+                mcp_config["security"]["auth"] = {
+                    "enabled": auth_config.get("enabled", True),
+                    "methods": auth_config.get("methods", ["api_key"]),
+                    "api_keys": auth_config.get("api_keys", {}),
+                    "jwt_secret": auth_config.get("jwt_secret", ""),
+                    "jwt_algorithm": auth_config.get("jwt_algorithm", "HS256")
+                }
+            
+            # Convert SSL config
+            if "ssl" in security_config:
+                ssl_config = security_config["ssl"]
+                mcp_config["security"]["ssl"] = {
+                    "enabled": ssl_config.get("enabled", False),
+                    "cert_file": ssl_config.get("cert_file"),
+                    "key_file": ssl_config.get("key_file"),
+                    "ca_cert": ssl_config.get("ca_cert"),
+                    "min_tls_version": ssl_config.get("min_tls_version", "TLSv1.2"),
+                    "verify_client": ssl_config.get("verify_client", False),
+                    "client_cert_required": ssl_config.get("client_cert_required", False)
+                }
+            
+            # Convert permissions config
+            if "permissions" in security_config:
+                permissions_config = security_config["permissions"]
+                mcp_config["security"]["permissions"] = {
+                    "enabled": permissions_config.get("enabled", True),
+                    "roles_file": permissions_config.get("roles_file", "roles.json"),
+                    "default_role": permissions_config.get("default_role", "user"),
+                    "deny_by_default": permissions_config.get("deny_by_default", True)
+                }
+            
+            # Convert rate limit config
+            if "rate_limit" in security_config:
+                rate_limit_config = security_config["rate_limit"]
+                mcp_config["security"]["rate_limit"] = {
+                    "enabled": rate_limit_config.get("enabled", True),
+                    "requests_per_minute": rate_limit_config.get("requests_per_minute", 60),
+                    "requests_per_hour": rate_limit_config.get("requests_per_hour", 1000),
+                    "burst_limit": rate_limit_config.get("burst_limit", 10),
+                    "by_ip": rate_limit_config.get("by_ip", True),
+                    "by_user": rate_limit_config.get("by_user", True)
+                }
+            
+            logger.info("Configuration converted from security framework format successfully")
+            return mcp_config
+            
+        except Exception as e:
+            logger.error(f"Failed to convert configuration from security framework format: {e}")
+            return ConfigConverter._get_default_mcp_config()
+    
+    @staticmethod
+    def migrate_legacy_config(config_path: str, output_path: Optional[str] = None) -> bool:
+        """
+        Migrate legacy configuration to new security framework format.
+        
+        Args:
+            config_path: Path to legacy configuration file
+            output_path: Path to output migrated configuration file (optional)
+            
+        Returns:
+            True if migration successful, False otherwise
+        """
+        try:
+            # Read legacy configuration
+            with open(config_path, 'r', encoding='utf-8') as f:
+                legacy_config = json.load(f)
+            
+            # Convert to new format
+            new_config = ConfigConverter.to_security_framework_config(legacy_config)
+            
+            # Add security section to legacy config
+            legacy_config["security"] = new_config
+            
+            # Determine output path
+            if output_path is None:
+                output_path = config_path.replace('.json', '_migrated.json')
+            
+            # Write migrated configuration
+            with open(output_path, 'w', encoding='utf-8') as f:
+                json.dump(legacy_config, f, indent=2, ensure_ascii=False)
+            
+            logger.info(f"Configuration migrated successfully to {output_path}")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Failed to migrate configuration: {e}")
+            return False
+    
+    @staticmethod
+    def validate_security_config(config: Dict[str, Any]) -> bool:
+        """
+        Validate security configuration format.
+        
+        Args:
+            config: Configuration dictionary to validate
+            
+        Returns:
+            True if configuration is valid, False otherwise
+        """
+        try:
+            # Check if security section exists
+            if "security" not in config:
+                logger.error("Security section not found in configuration")
+                return False
+            
+            security_section = config["security"]
+            
+            # Validate required fields
+            required_sections = ["auth", "ssl", "permissions", "rate_limit"]
+            for section in required_sections:
+                if section not in security_section:
+                    logger.error(f"Required section '{section}' not found in security configuration")
+                    return False
+                
+                if not isinstance(security_section[section], dict):
+                    logger.error(f"Section '{section}' must be a dictionary")
+                    return False
+            
+            # Validate auth configuration
+            auth_config = security_section["auth"]
+            if not isinstance(auth_config.get("methods", []), list):
+                logger.error("Auth methods must be a list")
+                return False
+            
+            if not isinstance(auth_config.get("api_keys", {}), dict):
+                logger.error("API keys must be a dictionary")
+                return False
+            
+            # Validate SSL configuration
+            ssl_config = security_section["ssl"]
+            if not isinstance(ssl_config.get("enabled", False), bool):
+                logger.error("SSL enabled must be a boolean")
+                return False
+            
+            # Validate permissions configuration
+            permissions_config = security_section["permissions"]
+            if not isinstance(permissions_config.get("enabled", True), bool):
+                logger.error("Permissions enabled must be a boolean")
+                return False
+            
+            # Validate rate limit configuration
+            rate_limit_config = security_section["rate_limit"]
+            if not isinstance(rate_limit_config.get("enabled", True), bool):
+                logger.error("Rate limit enabled must be a boolean")
+                return False
+            
+            if not isinstance(rate_limit_config.get("requests_per_minute", 60), int):
+                logger.error("Requests per minute must be an integer")
+                return False
+            
+            logger.info("Security configuration validation passed")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Configuration validation failed: {e}")
+            return False
+    
+    @staticmethod
+    def _get_default_security_config() -> Dict[str, Any]:
+        """
+        Get default security framework configuration.
+        
+        Returns:
+            Default security framework configuration
+        """
+        return {
+            "auth": {
+                "enabled": True,
+                "methods": ["api_key"],
+                "api_keys": {},
+                "jwt_secret": "",
+                "jwt_algorithm": "HS256"
+            },
+            "ssl": {
+                "enabled": False,
+                "cert_file": None,
+                "key_file": None,
+                "ca_cert": None,
+                "min_tls_version": "TLSv1.2",
+                "verify_client": False,
+                "client_cert_required": False
+            },
+            "permissions": {
+                "enabled": True,
+                "roles_file": "roles.json",
+                "default_role": "user",
+                "deny_by_default": True
+            },
+            "rate_limit": {
+                "enabled": True,
+                "requests_per_minute": 60,
+                "requests_per_hour": 1000,
+                "burst_limit": 10,
+                "by_ip": True,
+                "by_user": True
+            }
+        }
+    
+    @staticmethod
+    def _get_default_mcp_config() -> Dict[str, Any]:
+        """
+        Get default mcp_proxy_adapter configuration.
+        
+        Returns:
+            Default mcp_proxy_adapter configuration
+        """
+        return {
+            "security": {
+                "framework": "mcp_security_framework",
+                "enabled": True,
+                "auth": {
+                    "enabled": True,
+                    "methods": ["api_key"],
+                    "api_keys": {}
+                },
+                "ssl": {
+                    "enabled": False,
+                    "cert_file": None,
+                    "key_file": None
+                },
+                "permissions": {
+                    "enabled": True,
+                    "roles_file": "roles.json"
+                },
+                "rate_limit": {
+                    "enabled": True,
+                    "requests_per_minute": 60
+                }
+            }
+        }

mcp_proxy_adapter/core/config_validator.py

@@ -0,0 +1,218 @@
+"""
+Configuration validator for strict validation before startup.
+
+This module provides strict validation of configuration to prevent startup
+with invalid or insecure configurations.
+"""
+
+import os
+import json
+from typing import Dict, Any, List, Optional
+from pathlib import Path
+
+from mcp_proxy_adapter.core.logging import logger
+
+
+class ConfigValidator:
+    """
+    Strict configuration validator.
+    
+    Validates configuration before startup and prevents startup
+    with invalid or insecure configurations.
+    """
+    
+    def __init__(self, config: Dict[str, Any]):
+        """
+        Initialize configuration validator.
+        
+        Args:
+            config: Configuration dictionary to validate
+        """
+        self.config = config
+        self.errors: List[str] = []
+        self.warnings: List[str] = []
+    
+    def validate_all(self) -> bool:
+        """
+        Validate all configuration sections.
+        
+        Returns:
+            True if configuration is valid, False otherwise
+        """
+        self.errors.clear()
+        self.warnings.clear()
+        
+        # Validate basic structure
+        if not self._validate_basic_structure():
+            return False
+        
+        # Validate server configuration
+        if not self._validate_server_config():
+            return False
+        
+        # Validate security configuration
+        if not self._validate_security_config():
+            return False
+        
+        # Validate commands configuration
+        if not self._validate_commands_config():
+            return False
+        
+        # Validate SSL configuration
+        if not self._validate_ssl_config():
+            return False
+        
+        # Validate roles configuration
+        if not self._validate_roles_config():
+            return False
+        
+        # Log warnings if any
+        if self.warnings:
+            for warning in self.warnings:
+                logger.warning(f"Configuration warning: {warning}")
+        
+        # Return success only if no errors
+        return len(self.errors) == 0
+    
+    def _validate_basic_structure(self) -> bool:
+        """Validate basic configuration structure."""
+        required_sections = ["server", "logging", "commands"]
+        
+        for section in required_sections:
+            if section not in self.config:
+                self.errors.append(f"Missing required configuration section: {section}")
+        
+        return len(self.errors) == 0
+    
+    def _validate_server_config(self) -> bool:
+        """Validate server configuration."""
+        server_config = self.config.get("server", {})
+        
+        # Validate host
+        host = server_config.get("host")
+        if not host:
+            self.errors.append("Server host is required")
+        
+        # Validate port
+        port = server_config.get("port")
+        if not isinstance(port, int) or port < 1 or port > 65535:
+            self.errors.append("Server port must be an integer between 1 and 65535")
+        
+        return len(self.errors) == 0
+    
+    def _validate_security_config(self) -> bool:
+        """Validate security configuration."""
+        security_config = self.config.get("security", {})
+        
+        # Check if security is enabled
+        security_enabled = security_config.get("enabled", True)
+        auth_enabled = self.config.get("auth_enabled", False)
+        
+        if security_enabled and auth_enabled:
+            # Validate auth configuration
+            auth_config = security_config.get("auth", {})
+            if not auth_config.get("enabled", False):
+                self.errors.append("Security is enabled but auth is disabled")
+                return False
+            
+            # Validate API keys if auth is enabled
+            if auth_config.get("enabled", False):
+                api_keys = auth_config.get("api_keys", {})
+                if not api_keys:
+                    self.errors.append("API keys are required when authentication is enabled")
+                    return False
+                
+                # Validate API key format
+                for key, value in api_keys.items():
+                    if not key or not value:
+                        self.errors.append("API keys must have non-empty key and value")
+                        return False
+        
+        return len(self.errors) == 0
+    
+    def _validate_commands_config(self) -> bool:
+        """Validate commands configuration."""
+        commands_config = self.config.get("commands", {})
+        
+        # Validate commands directory if auto_discovery is enabled
+        if commands_config.get("auto_discovery", True):
+            commands_dir = commands_config.get("commands_directory", "./commands")
+            if not os.path.exists(commands_dir):
+                self.warnings.append(f"Commands directory does not exist: {commands_dir}")
+        
+        return True
+    
+    def _validate_ssl_config(self) -> bool:
+        """Validate SSL configuration."""
+        ssl_config = self.config.get("ssl", {})
+        ssl_enabled = ssl_config.get("enabled", False)
+        
+        if ssl_enabled:
+            # Validate certificate files
+            cert_file = ssl_config.get("cert_file")
+            key_file = ssl_config.get("key_file")
+            
+            if not cert_file or not key_file:
+                self.errors.append("SSL certificate and key files are required when SSL is enabled")
+                return False
+            
+            if not os.path.exists(cert_file):
+                self.errors.append(f"SSL certificate file not found: {cert_file}")
+            
+            if not os.path.exists(key_file):
+                self.errors.append(f"SSL private key file not found: {key_file}")
+        
+        return len(self.errors) == 0
+    
+    def _validate_roles_config(self) -> bool:
+        """Validate roles configuration."""
+        roles_config = self.config.get("roles", {})
+        roles_enabled = roles_config.get("enabled", False)
+        
+        if roles_enabled:
+            config_file = roles_config.get("config_file")
+            if not config_file:
+                self.errors.append("Roles config file is required when roles are enabled")
+                return False
+            
+            if not os.path.exists(config_file):
+                self.errors.append(f"Roles config file not found: {config_file}")
+                return False
+            
+            # Validate roles schema file
+            try:
+                with open(config_file, 'r') as f:
+                    roles_schema = json.load(f)
+                
+                if "roles" not in roles_schema:
+                    self.errors.append("Roles config file must contain 'roles' section")
+                    return False
+                
+            except (json.JSONDecodeError, IOError) as e:
+                self.errors.append(f"Failed to read roles config file: {e}")
+                return False
+        
+        return len(self.errors) == 0
+    
+    def get_errors(self) -> List[str]:
+        """Get validation errors."""
+        return self.errors.copy()
+    
+    def get_warnings(self) -> List[str]:
+        """Get validation warnings."""
+        return self.warnings.copy()
+    
+    def print_validation_report(self):
+        """Print validation report."""
+        if self.errors:
+            logger.error("Configuration validation failed:")
+            for error in self.errors:
+                logger.error(f"  - {error}")
+        
+        if self.warnings:
+            logger.warning("Configuration warnings:")
+            for warning in self.warnings:
+                logger.warning(f"  - {warning}")
+        
+        if not self.errors and not self.warnings:
+            logger.info("Configuration validation passed")

mcp_proxy_adapter/core/logging.py

@@ -121,6 +121,17 @@ def setup_logging(
     """
     # Get parameters from configuration if not explicitly specified
     level = level or config.get("logging.level", "INFO")
+    
+    # Check debug level from config if debug is enabled
+    if config.get("debug.enabled", False):
+        debug_level = config.get("debug.level", "INFO")
+        # Use debug level if it's more verbose than the logging level
+        debug_level_num = getattr(logging, debug_level.upper(), logging.INFO)
+        level_num = getattr(logging, level.upper(), logging.INFO)
+        if debug_level_num < level_num:
+            level = debug_level
+            logger.debug(f"Using debug level from config: {debug_level}")
+    
     log_file = log_file or config.get("logging.file")
     rotation_type = rotation_type or "size"  # Default to size-based rotation