mcp-proxy-adapter 4.1.0__py3-none-any.whl → 6.0.0__py3-none-any.whl

mcp_proxy_adapter/core/ssl_utils.py

@@ -0,0 +1,233 @@
+"""
+SSL Utilities Module
+
+This module provides utilities for SSL/TLS configuration and certificate validation.
+Integrates with AuthValidator from Phase 0 for certificate validation.
+
+Author: MCP Proxy Adapter Team
+Version: 1.0.0
+"""
+
+import ssl
+import logging
+from typing import List, Optional, Dict, Any
+from pathlib import Path
+
+from .auth_validator import AuthValidator
+
+logger = logging.getLogger(__name__)
+
+
+class SSLUtils:
+    """
+    SSL utilities for creating SSL contexts and validating certificates.
+    """
+    
+    # TLS version mapping
+    TLS_VERSIONS = {
+        "1.0": ssl.TLSVersion.TLSv1,
+        "1.1": ssl.TLSVersion.TLSv1_1,
+        "1.2": ssl.TLSVersion.TLSv1_2,
+        "1.3": ssl.TLSVersion.TLSv1_3
+    }
+    
+    # Cipher suite mapping
+    CIPHER_SUITES = {
+        "TLS_AES_256_GCM_SHA384": "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256": "TLS_CHACHA20_POLY1305_SHA256",
+        "TLS_AES_128_GCM_SHA256": "TLS_AES_128_GCM_SHA256",
+        "ECDHE-RSA-AES256-GCM-SHA384": "ECDHE-RSA-AES256-GCM-SHA384",
+        "ECDHE-RSA-AES128-GCM-SHA256": "ECDHE-RSA-AES128-GCM-SHA256",
+        "ECDHE-RSA-CHACHA20-POLY1305": "ECDHE-RSA-CHACHA20-POLY1305"
+    }
+    
+    @staticmethod
+    def create_ssl_context(cert_file: str, key_file: str, 
+                          ca_cert: Optional[str] = None, 
+                          verify_client: bool = False,
+                          cipher_suites: Optional[List[str]] = None,
+                          min_tls_version: str = "1.2",
+                          max_tls_version: str = "1.3") -> ssl.SSLContext:
+        """
+        Create SSL context with specified configuration.
+        
+        Args:
+            cert_file: Path to certificate file
+            key_file: Path to private key file
+            ca_cert: Path to CA certificate file (optional)
+            verify_client: Whether to verify client certificates
+            cipher_suites: List of cipher suites to use
+            min_tls_version: Minimum TLS version
+            max_tls_version: Maximum TLS version
+            
+        Returns:
+            Configured SSL context
+            
+        Raises:
+            ValueError: If certificate validation fails
+            FileNotFoundError: If certificate or key files not found
+        """
+        # Validate certificate using AuthValidator
+        validator = AuthValidator()
+        result = validator.validate_certificate(cert_file)
+        if not result.is_valid:
+            raise ValueError(f"Invalid certificate: {result.error_message}")
+        
+        # Check if files exist
+        if not Path(cert_file).exists():
+            raise FileNotFoundError(f"Certificate file not found: {cert_file}")
+        if not Path(key_file).exists():
+            raise FileNotFoundError(f"Key file not found: {key_file}")
+        if ca_cert and not Path(ca_cert).exists():
+            raise FileNotFoundError(f"CA certificate file not found: {ca_cert}")
+        
+        # Create SSL context
+        if verify_client:
+            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        else:
+            context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        
+        # Load certificate and key
+        context.load_cert_chain(cert_file, key_file)
+        
+        # Load CA certificate if provided
+        if ca_cert:
+            context.load_verify_locations(ca_cert)
+        
+        # Configure client verification
+        if verify_client:
+            context.verify_mode = ssl.CERT_REQUIRED
+            context.check_hostname = False
+        else:
+            context.verify_mode = ssl.CERT_NONE
+        
+        # Setup cipher suites
+        SSLUtils.setup_cipher_suites(context, cipher_suites or [])
+        
+        # Setup TLS versions
+        SSLUtils.setup_tls_versions(context, min_tls_version, max_tls_version)
+        
+        logger.info(f"SSL context created successfully with cert: {cert_file}")
+        return context
+    
+    @staticmethod
+    def validate_certificate(cert_file: str) -> bool:
+        """
+        Validate certificate using AuthValidator.
+        
+        Args:
+            cert_file: Path to certificate file
+            
+        Returns:
+            True if certificate is valid, False otherwise
+        """
+        try:
+            validator = AuthValidator()
+            result = validator.validate_certificate(cert_file)
+            return result.is_valid
+        except Exception as e:
+            logger.error(f"Certificate validation failed: {e}")
+            return False
+    
+    @staticmethod
+    def setup_cipher_suites(context: ssl.SSLContext, cipher_suites: List[str]) -> None:
+        """
+        Setup cipher suites for SSL context.
+        
+        Args:
+            context: SSL context to configure
+            cipher_suites: List of cipher suite names
+        """
+        if not cipher_suites:
+            return
+        
+        # Convert cipher suite names to actual cipher suite strings
+        actual_ciphers = []
+        for cipher_name in cipher_suites:
+            if cipher_name in SSLUtils.CIPHER_SUITES:
+                actual_ciphers.append(SSLUtils.CIPHER_SUITES[cipher_name])
+            else:
+                logger.warning(f"Unknown cipher suite: {cipher_name}")
+        
+        if actual_ciphers:
+            try:
+                context.set_ciphers(":".join(actual_ciphers))
+                logger.info(f"Cipher suites configured: {actual_ciphers}")
+            except ssl.SSLError as e:
+                logger.error(f"Failed to set cipher suites: {e}")
+    
+    @staticmethod
+    def setup_tls_versions(context: ssl.SSLContext, min_version: str, max_version: str) -> None:
+        """
+        Setup TLS version range for SSL context.
+        
+        Args:
+            context: SSL context to configure
+            min_version: Minimum TLS version
+            max_version: Maximum TLS version
+        """
+        try:
+            min_tls = SSLUtils.TLS_VERSIONS.get(min_version)
+            max_tls = SSLUtils.TLS_VERSIONS.get(max_version)
+            
+            if min_tls and max_tls:
+                context.minimum_version = min_tls
+                context.maximum_version = max_tls
+                logger.info(f"TLS versions configured: {min_version} - {max_version}")
+            else:
+                logger.warning(f"Invalid TLS version range: {min_version} - {max_version}")
+        except Exception as e:
+            logger.error(f"Failed to set TLS versions: {e}")
+    
+    @staticmethod
+    def check_tls_version(min_version: str, max_version: str) -> bool:
+        """
+        Check if TLS version range is valid.
+        
+        Args:
+            min_version: Minimum TLS version
+            max_version: Maximum TLS version
+            
+        Returns:
+            True if version range is valid, False otherwise
+        """
+        min_tls = SSLUtils.TLS_VERSIONS.get(min_version)
+        max_tls = SSLUtils.TLS_VERSIONS.get(max_version)
+        
+        if not min_tls or not max_tls:
+            return False
+        
+        # Check if min version is less than or equal to max version
+        return min_tls <= max_tls
+    
+    @staticmethod
+    def get_ssl_config_for_uvicorn(ssl_config: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Get SSL configuration for uvicorn from transport configuration.
+        
+        Args:
+            ssl_config: SSL configuration from transport manager
+            
+        Returns:
+            Configuration for uvicorn
+        """
+        uvicorn_ssl = {}
+        
+        if not ssl_config:
+            return uvicorn_ssl
+        
+        # Basic SSL parameters
+        if ssl_config.get("cert_file"):
+            uvicorn_ssl["ssl_certfile"] = ssl_config["cert_file"]
+        
+        if ssl_config.get("key_file"):
+            uvicorn_ssl["ssl_keyfile"] = ssl_config["key_file"]
+        
+        if ssl_config.get("ca_cert"):
+            uvicorn_ssl["ssl_ca_certs"] = ssl_config["ca_cert"]
+        
+        # Note: uvicorn doesn't support ssl_verify_mode parameter
+        # Client verification is handled at the application level
+        
+        logger.info(f"Generated uvicorn SSL config: {uvicorn_ssl}")
+        return uvicorn_ssl 

mcp_proxy_adapter/core/transport_manager.py

@@ -0,0 +1,292 @@
+"""
+Transport manager module.
+
+This module provides transport management functionality for the MCP Proxy Adapter.
+"""
+
+from typing import Dict, Any, Optional
+from dataclasses import dataclass
+from enum import Enum
+from pathlib import Path
+
+from mcp_proxy_adapter.core.logging import logger
+
+
+class TransportType(Enum):
+    """Transport types enumeration."""
+    HTTP = "http"
+    HTTPS = "https"
+    MTLS = "mtls"
+
+
+@dataclass
+class TransportConfig:
+    """Transport configuration data class."""
+    type: TransportType
+    port: Optional[int]
+    ssl_enabled: bool
+    cert_file: Optional[str]
+    key_file: Optional[str]
+    ca_cert: Optional[str]
+    verify_client: bool
+    client_cert_required: bool
+
+
+class TransportManager:
+    """
+    Transport manager for handling different transport types.
+    
+    This class manages transport configuration and provides utilities
+    for determining ports and SSL settings based on transport type.
+    """
+    
+    # Default ports for transport types
+    DEFAULT_PORTS = {
+        TransportType.HTTP: 8000,
+        TransportType.HTTPS: 8443,
+        TransportType.MTLS: 9443
+    }
+    
+    def __init__(self):
+        """Initialize transport manager."""
+        self._config: Optional[TransportConfig] = None
+        self._current_transport: Optional[TransportType] = None
+    
+    def load_config(self, config: Dict[str, Any]) -> bool:
+        """
+        Load transport configuration from config dict.
+        
+        Args:
+            config: Configuration dictionary
+            
+        Returns:
+            True if config loaded successfully, False otherwise
+        """
+        try:
+            transport_config = config.get("transport", {})
+            
+            # Get transport type
+            transport_type_str = transport_config.get("type", "http").lower()
+            try:
+                transport_type = TransportType(transport_type_str)
+            except ValueError:
+                logger.error(f"Invalid transport type: {transport_type_str}")
+                return False
+            
+            # Get port (use default if not specified)
+            port = transport_config.get("port")
+            if port is None:
+                port = self.DEFAULT_PORTS.get(transport_type, 8000)
+            
+            # Get SSL configuration
+            ssl_config = transport_config.get("ssl", {})
+            ssl_enabled = ssl_config.get("enabled", False)
+            
+            # Validate SSL requirements
+            if transport_type in [TransportType.HTTPS, TransportType.MTLS] and not ssl_enabled:
+                logger.error(f"SSL must be enabled for transport type: {transport_type.value}")
+                return False
+            
+            if transport_type == TransportType.HTTP and ssl_enabled:
+                logger.warning("SSL enabled for HTTP transport - this may cause issues")
+            
+            # Create transport config
+            self._config = TransportConfig(
+                type=transport_type,
+                port=port,
+                ssl_enabled=ssl_enabled,
+                cert_file=ssl_config.get("cert_file") if ssl_enabled else None,
+                key_file=ssl_config.get("key_file") if ssl_enabled else None,
+                ca_cert=ssl_config.get("ca_cert") if ssl_enabled else None,
+                verify_client=ssl_config.get("verify_client", False),
+                client_cert_required=ssl_config.get("client_cert_required", False)
+            )
+            
+            self._current_transport = transport_type
+            
+            logger.info(f"Transport config loaded: {transport_type.value} on port {port}")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Failed to load transport config: {e}")
+            return False
+    
+    def get_transport_type(self) -> Optional[TransportType]:
+        """
+        Get current transport type.
+        
+        Returns:
+            Current transport type or None if not configured
+        """
+        return self._current_transport
+    
+    def get_port(self) -> Optional[int]:
+        """
+        Get configured port.
+        
+        Returns:
+            Port number or None if not configured
+        """
+        return self._config.port if self._config else None
+    
+    def is_ssl_enabled(self) -> bool:
+        """
+        Check if SSL is enabled.
+        
+        Returns:
+            True if SSL is enabled, False otherwise
+        """
+        return self._config.ssl_enabled if self._config else False
+    
+    def get_ssl_config(self) -> Optional[Dict[str, Any]]:
+        """
+        Get SSL configuration.
+        
+        Returns:
+            SSL configuration dict or None if SSL not enabled
+        """
+        if not self._config or not self._config.ssl_enabled:
+            return None
+        
+        return {
+            "cert_file": self._config.cert_file,
+            "key_file": self._config.key_file,
+            "ca_cert": self._config.ca_cert,
+            "verify_client": self._config.verify_client,
+            "client_cert_required": self._config.client_cert_required
+        }
+    
+    def is_mtls(self) -> bool:
+        """
+        Check if current transport is MTLS.
+        
+        Returns:
+            True if MTLS transport, False otherwise
+        """
+        return self._current_transport == TransportType.MTLS
+    
+    def is_https(self) -> bool:
+        """
+        Check if current transport is HTTPS.
+        
+        Returns:
+            True if HTTPS transport, False otherwise
+        """
+        return self._current_transport == TransportType.HTTPS
+    
+    def is_http(self) -> bool:
+        """
+        Check if current transport is HTTP.
+        
+        Returns:
+            True if HTTP transport, False otherwise
+        """
+        return self._current_transport == TransportType.HTTP
+    
+    def get_transport_info(self) -> Dict[str, Any]:
+        """
+        Get transport information.
+        
+        Returns:
+            Dictionary with transport information
+        """
+        if not self._config:
+            return {"error": "Transport not configured"}
+        
+        return {
+            "type": self._config.type.value,
+            "port": self._config.port,
+            "ssl_enabled": self._config.ssl_enabled,
+            "is_mtls": self.is_mtls(),
+            "is_https": self.is_https(),
+            "is_http": self.is_http(),
+            "ssl_config": self.get_ssl_config()
+        }
+    
+    def validate_config(self) -> bool:
+        """
+        Validate current transport configuration.
+        
+        Returns:
+            True if configuration is valid, False otherwise
+        """
+        if not self._config:
+            logger.error("Transport not configured")
+            return False
+        
+        # Validate SSL requirements
+        if self._config.type in [TransportType.HTTPS, TransportType.MTLS]:
+            if not self._config.ssl_enabled:
+                logger.error(f"SSL must be enabled for {self._config.type.value}")
+                return False
+            
+            if not self._config.cert_file or not self._config.key_file:
+                logger.error(f"SSL certificate and key required for {self._config.type.value}")
+                return False
+        
+        # Validate SSL files exist
+        if not self.validate_ssl_files():
+            return False
+        
+        # Validate MTLS requirements
+        if self._config.type == TransportType.MTLS:
+            if not self._config.verify_client:
+                logger.warning("MTLS transport should have client verification enabled")
+            
+            if not self._config.ca_cert:
+                logger.warning("CA certificate recommended for MTLS transport")
+        
+        logger.info(f"Transport configuration validated: {self._config.type.value}")
+        return True
+    
+    def validate_ssl_files(self) -> bool:
+        """
+        Check if SSL files exist.
+        
+        Returns:
+            True if all SSL files exist, False otherwise
+        """
+        if not self._config or not self._config.ssl_enabled:
+            return True
+        
+        files_to_check = []
+        if self._config.cert_file:
+            files_to_check.append(self._config.cert_file)
+        if self._config.key_file:
+            files_to_check.append(self._config.key_file)
+        if self._config.ca_cert:
+            files_to_check.append(self._config.ca_cert)
+        
+        for file_path in files_to_check:
+            if not Path(file_path).exists():
+                logger.error(f"SSL file not found: {file_path}")
+                return False
+        
+        logger.info(f"All SSL files validated successfully: {files_to_check}")
+        return True
+    
+    def get_uvicorn_config(self) -> Dict[str, Any]:
+        """
+        Get configuration for uvicorn.
+        
+        Returns:
+            Uvicorn configuration dictionary
+        """
+        config = {
+            "host": "0.0.0.0",  # Can be moved to settings
+            "port": self.get_port(),
+            "log_level": "info"
+        }
+        
+        if self.is_ssl_enabled():
+            ssl_config = self.get_ssl_config()
+            if ssl_config:
+                from mcp_proxy_adapter.core.ssl_utils import SSLUtils
+                uvicorn_ssl = SSLUtils.get_ssl_config_for_uvicorn(ssl_config)
+                config.update(uvicorn_ssl)
+        
+        return config
+
+
+# Global transport manager instance
+transport_manager = TransportManager() 

mcp_proxy_adapter/custom_openapi.py

@@ -96,14 +96,25 @@ class CustomOpenAPIGenerator:
         Returns:
             Dict containing the parameter schema.
         """
-        # Get command schema
-        cmd_schema = cmd_class.get_schema()
-        
-        # Add title and description
-        cmd_schema["title"] = f"Parameters for {cmd_class.name}"
-        cmd_schema["description"] = f"Parameters for the {cmd_class.name} command"
-        
-        return cmd_schema
+        try:
+            # Get command schema
+            cmd_schema = cmd_class.get_schema()
+            
+            # Add title and description
+            cmd_schema["title"] = f"Parameters for {cmd_class.name}"
+            cmd_schema["description"] = f"Parameters for the {cmd_class.name} command"
+            
+            return cmd_schema
+        except Exception as e:
+            # Return default schema if command schema generation fails
+            logger.warning(f"Failed to get schema for command {cmd_class.name}: {e}")
+            return {
+                "type": "object",
+                "title": f"Parameters for {cmd_class.name}",
+                "description": f"Parameters for the {cmd_class.name} command (schema generation failed)",
+                "properties": {},
+                "additionalProperties": True
+            }
         
     def generate(self, title: Optional[str] = None, description: Optional[str] = None, version: Optional[str] = None) -> Dict[str, Any]:
         """
@@ -262,7 +273,7 @@ class CustomOpenAPIGenerator:
         # Add commands to schema
         self._add_commands_to_schema(schema)
 
-        logger.info(f"Generated OpenAPI schema with {len(registry.get_all_commands())} commands")
+        logger.debug(f"Generated OpenAPI schema with {len(registry.get_all_commands())} commands")
 
         return schema
 
@@ -358,9 +369,9 @@ def custom_openapi_with_fallback(app: FastAPI) -> Dict[str, Any]:
         # Use the first registered generator
         generator_name = list(_openapi_generators.keys())[0]
         generator_func = _openapi_generators[generator_name]
-        logger.info(f"Using custom OpenAPI generator: {generator_name}")
+        logger.debug(f"Using custom OpenAPI generator: {generator_name}")
         return generator_func(app)
     
     # Fall back to default generator
-    logger.info("Using default OpenAPI generator")
+    logger.debug("Using default OpenAPI generator")
     return custom_openapi(app) 

mcp_proxy_adapter/examples/basic_server/config.json

@@ -1,35 +1,70 @@
 {
   "server": {
-    "host": "127.0.0.1",
-    "port": 8000,
+    "host": "0.0.0.0",
+    "port": 9443,
     "debug": true,
-    "log_level": "DEBUG"
+    "log_level": "INFO"
   },
   "logging": {
-    "level": "DEBUG",
-    "log_dir": "./logs/basic_server",
-    "log_file": "basic_server.log",
-    "error_log_file": "basic_server_error.log",
-    "access_log_file": "basic_server_access.log",
-    "max_file_size": "5MB",
-    "backup_count": 3,
-    "format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s",
-    "date_format": "%Y-%m-%d %H:%M:%S",
-    "console_output": true,
-    "file_output": true
+    "level": "INFO",
+    "log_dir": "./logs",
+    "console_output": true
   },
   "commands": {
     "auto_discovery": true,
-    "discovery_path": "mcp_proxy_adapter.commands",
-    "custom_commands_path": null
+    "discovery_path": "mcp_proxy_adapter.commands"
   },
-  "custom": {
-    "server_name": "Basic MCP Proxy Server",
-    "description": "Simple example server with basic configuration",
-    "features": {
-      "hooks_enabled": false,
-      "custom_commands_enabled": false,
-      "advanced_logging": false
+  "ssl": {
+    "enabled": true,
+    "mode": "mtls_only",
+    "cert_file": "/home/vasilyvz/projects/mcp_proxy_adapter/test_env/server_test-server.crt",
+    "key_file": "/home/vasilyvz/projects/mcp_proxy_adapter/test_env/server_test-server.key",
+    "ca_cert": "/home/vasilyvz/projects/mcp_proxy_adapter/test_env/ca_test-ca.crt",
+    "verify_client": true,
+    "client_cert_required": true
+  },
+  "protocols": {
+    "enabled": false,
+    "allowed_protocols": ["https", "mtls"],
+    "http": {
+      "enabled": false,
+      "port": 8000
+    },
+    "https": {
+      "enabled": true,
+      "port": 9443
+    },
+    "mtls": {
+      "enabled": true,
+      "port": 9443
     }
+  },
+  "roles": {
+    "enabled": true,
+    "config_file": "schemas/roles_schema.json",
+    "default_policy": {
+      "deny_by_default": true,
+      "require_role_match": true,
+      "case_sensitive": false,
+      "allow_wildcard": true
+    },
+    "auto_load": true,
+    "validation_enabled": true
+  },
+  "proxy_registration": {
+    "enabled": true,
+    "proxy_url": "http://localhost:3004",
+    "server_id": "mcp_proxy_adapter_mtls",
+    "server_name": "MTLS MCP Proxy Adapter Server",
+    "description": "JSON-RPC API for interacting with MCP Proxy (MTLS mode)",
+    "registration_timeout": 30,
+    "retry_attempts": 3,
+    "retry_delay": 5,
+    "auto_register_on_startup": true,
+    "auto_unregister_on_shutdown": true
+  },
+  "custom": {
+    "description": "MTLS-only server example with mutual authentication",
+    "server_name": "MTLS MCP Proxy Adapter Server"
   }
 }