mcp-proxy-adapter 4.1.1__py3-none-any.whl → 6.0.0__py3-none-any.whl

mcp_proxy_adapter/api/middleware/mtls_middleware.py

@@ -0,0 +1,296 @@
+"""
+mTLS Middleware
+
+This module provides middleware for mutual TLS (mTLS) authentication.
+Extracts and validates client certificates, extracts roles, and validates access.
+
+Author: MCP Proxy Adapter Team
+Version: 1.0.0
+"""
+
+import logging
+from typing import Dict, List, Optional, Any
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from ...core.auth_validator import AuthValidator
+from ...core.role_utils import RoleUtils
+from ...core.certificate_utils import CertificateUtils
+from .base import BaseMiddleware
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSMiddleware(BaseMiddleware):
+    """
+    Middleware for mTLS authentication.
+    
+    Extracts client certificates from requests, validates them against CA,
+    extracts roles, and validates access based on configuration.
+    """
+    
+    def __init__(self, app, mtls_config: Dict[str, Any]):
+        """
+        Initialize mTLS middleware.
+        
+        Args:
+            app: FastAPI application
+            mtls_config: mTLS configuration dictionary
+        """
+        super().__init__(app)
+        self.mtls_config = mtls_config
+        self.auth_validator = AuthValidator()
+        self.role_utils = RoleUtils()
+        self.certificate_utils = CertificateUtils()
+        
+        # Extract configuration
+        self.enabled = mtls_config.get("enabled", False)
+        self.ca_cert_path = mtls_config.get("ca_cert")
+        self.verify_client = mtls_config.get("verify_client", True)
+        self.client_cert_required = mtls_config.get("client_cert_required", True)
+        self.allowed_roles = mtls_config.get("allowed_roles", [])
+        self.require_roles = mtls_config.get("require_roles", False)
+        
+        logger.info(f"mTLS middleware initialized: enabled={self.enabled}, "
+                   f"verify_client={self.verify_client}, "
+                   f"client_cert_required={self.client_cert_required}")
+    
+    async def before_request(self, request: Request) -> None:
+        """
+        Process request before calling the main handler.
+        
+        Args:
+            request: FastAPI request object
+        """
+        if not self.enabled:
+            return
+        
+        try:
+            # Extract client certificate
+            client_cert = self._extract_client_certificate(request)
+            
+            if client_cert is None:
+                if self.client_cert_required:
+                    raise ValueError("Client certificate is required but not provided")
+                return
+            
+            # Validate client certificate
+            if not self._validate_client_certificate(client_cert):
+                raise ValueError("Client certificate validation failed")
+            
+            # Extract roles from certificate
+            roles = self._extract_roles_from_certificate(client_cert)
+            
+            # Validate access based on roles
+            if self.require_roles and not self._validate_access(roles):
+                raise ValueError("Access denied: insufficient roles")
+            
+            # Store certificate and roles in request state
+            request.state.client_certificate = client_cert
+            request.state.client_roles = roles
+            request.state.client_common_name = self._get_common_name(client_cert)
+            
+            logger.debug(f"mTLS authentication successful for {request.state.client_common_name} "
+                        f"with roles: {roles}")
+            
+        except Exception as e:
+            logger.error(f"mTLS authentication failed: {e}")
+            raise
+    
+    def _extract_client_certificate(self, request: Request) -> Optional[x509.Certificate]:
+        """
+        Extract client certificate from request.
+        
+        Args:
+            request: FastAPI request object
+            
+        Returns:
+            Client certificate object or None if not found
+        """
+        try:
+            # Check if client certificate is available in SSL context
+            if hasattr(request, 'scope') and 'ssl' in request.scope:
+                ssl_context = request.scope['ssl']
+                if hasattr(ssl_context, 'getpeercert'):
+                    cert_data = ssl_context.getpeercert(binary_form=True)
+                    if cert_data:
+                        return x509.load_der_x509_certificate(cert_data)
+            
+            # Check for certificate in headers (for proxy scenarios)
+            cert_header = request.headers.get('ssl-client-cert')
+            if cert_header:
+                # Remove header prefix if present
+                if cert_header.startswith('-----BEGIN CERTIFICATE-----'):
+                    cert_data = cert_header.encode('utf-8')
+                else:
+                    # Assume it's base64 encoded
+                    import base64
+                    cert_data = base64.b64decode(cert_header)
+                
+                return x509.load_pem_x509_certificate(cert_data)
+            
+            return None
+            
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    
+    def _validate_client_certificate(self, cert: x509.Certificate) -> bool:
+        """
+        Validate client certificate.
+        
+        Args:
+            cert: Client certificate object
+            
+        Returns:
+            True if certificate is valid, False otherwise
+        """
+        try:
+            if not self.verify_client:
+                return True
+            
+            # Convert certificate to PEM format for validation
+            cert_pem = cert.public_bytes(serialization.Encoding.PEM)
+            
+            # Use AuthValidator to validate certificate
+            result = self.auth_validator.validate_certificate_data(cert_pem)
+            if not result.is_valid:
+                logger.warning(f"Certificate validation failed: {result.error_message}")
+                return False
+            
+            # Validate certificate chain if CA is provided
+            if self.ca_cert_path and self.ca_cert_path != "None":
+                # Create temporary file for certificate
+                import tempfile
+                import os
+                
+                with tempfile.NamedTemporaryFile(mode='wb', suffix='.crt', delete=False) as f:
+                    f.write(cert_pem)
+                    temp_cert_path = f.name
+                
+                try:
+                    chain_valid = self.certificate_utils.validate_certificate_chain(
+                        temp_cert_path, self.ca_cert_path
+                    )
+                    if not chain_valid:
+                        logger.warning("Certificate chain validation failed")
+                        return False
+                finally:
+                    os.unlink(temp_cert_path)
+            
+            return True
+            
+        except Exception as e:
+            logger.error(f"Failed to validate client certificate: {e}")
+            return False
+    
+    def _extract_roles_from_certificate(self, cert: x509.Certificate) -> List[str]:
+        """
+        Extract roles from client certificate.
+        
+        Args:
+            cert: Client certificate object
+            
+        Returns:
+            List of roles extracted from certificate
+        """
+        try:
+            return self.certificate_utils.extract_roles_from_certificate_object(cert)
+        except Exception as e:
+            logger.error(f"Failed to extract roles from certificate: {e}")
+            return []
+    
+    def _validate_access(self, roles: List[str]) -> bool:
+        """
+        Validate access based on roles.
+        
+        Args:
+            roles: List of roles from client certificate
+            
+        Returns:
+            True if access is allowed, False otherwise
+        """
+        try:
+            if not self.allowed_roles:
+                return True
+            
+            if not roles:
+                return False
+            
+            # Check if any of the client roles match allowed roles
+            for client_role in roles:
+                for allowed_role in self.allowed_roles:
+                    if self.role_utils.compare_roles(client_role, allowed_role):
+                        return True
+            
+            return False
+            
+        except Exception as e:
+            logger.error(f"Failed to validate access: {e}")
+            return False
+    
+    def _get_common_name(self, cert: x509.Certificate) -> str:
+        """
+        Get common name from certificate.
+        
+        Args:
+            cert: Certificate object
+            
+        Returns:
+            Common name or empty string if not found
+        """
+        try:
+            for name_attribute in cert.subject:
+                if name_attribute.oid == x509.NameOID.COMMON_NAME:
+                    return str(name_attribute.value)
+            return ""
+        except Exception as e:
+            logger.error(f"Failed to get common name: {e}")
+            return ""
+    
+    async def handle_error(self, request: Request, exception: Exception) -> Response:
+        """
+        Handle mTLS authentication errors.
+        
+        Args:
+            request: FastAPI request object
+            exception: Exception that occurred
+            
+        Returns:
+            Error response
+        """
+        from fastapi.responses import JSONResponse
+        
+        error_message = str(exception)
+        
+        if "certificate is required" in error_message.lower():
+            status_code = 401
+            error_code = -32009  # Certificate not found
+        elif "validation failed" in error_message.lower():
+            status_code = 401
+            error_code = -32003  # Certificate validation failed
+        elif "access denied" in error_message.lower():
+            status_code = 403
+            error_code = -32007  # Role validation failed
+        else:
+            status_code = 500
+            error_code = -32603  # Internal error
+        
+        return JSONResponse(
+            status_code=status_code,
+            content={
+                "jsonrpc": "2.0",
+                "error": {
+                    "code": error_code,
+                    "message": error_message,
+                    "data": {
+                        "validation_type": "mtls",
+                        "request_id": getattr(request.state, 'request_id', None)
+                    }
+                },
+                "id": None
+            }
+        ) 

mcp_proxy_adapter/api/middleware/protocol_middleware.py

@@ -0,0 +1,135 @@
+"""
+Protocol middleware module.
+
+This module provides middleware for validating protocol access based on configuration.
+"""
+
+from typing import Callable
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.responses import JSONResponse
+
+from mcp_proxy_adapter.core.protocol_manager import protocol_manager
+from mcp_proxy_adapter.core.logging import logger
+
+
+class ProtocolMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware for protocol validation.
+    
+    This middleware checks if the incoming request protocol is allowed
+    based on the protocol configuration.
+    """
+    
+    def __init__(self, app, protocol_manager_instance=None):
+        """
+        Initialize protocol middleware.
+        
+        Args:
+            app: FastAPI application
+            protocol_manager_instance: Protocol manager instance (optional)
+        """
+        super().__init__(app)
+        self.protocol_manager = protocol_manager_instance or protocol_manager
+    
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        """
+        Process request through protocol middleware.
+        
+        Args:
+            request: Incoming request
+            call_next: Next middleware/endpoint function
+            
+        Returns:
+            Response object
+        """
+        try:
+            # Get protocol from request
+            protocol = self._get_request_protocol(request)
+            
+            # Check if protocol is allowed
+            if not self.protocol_manager.is_protocol_allowed(protocol):
+                logger.warning(f"Protocol '{protocol}' not allowed for request to {request.url.path}")
+                return JSONResponse(
+                    status_code=403,
+                    content={
+                        "error": "Protocol not allowed",
+                        "message": f"Protocol '{protocol}' is not allowed. Allowed protocols: {self.protocol_manager.get_allowed_protocols()}",
+                        "allowed_protocols": self.protocol_manager.get_allowed_protocols()
+                    }
+                )
+            
+            # Continue processing
+            response = await call_next(request)
+            return response
+            
+        except Exception as e:
+            logger.error(f"Protocol middleware error: {e}")
+            return JSONResponse(
+                status_code=500,
+                content={
+                    "error": "Protocol validation error",
+                    "message": str(e)
+                }
+            )
+    
+    def _get_request_protocol(self, request: Request) -> str:
+        """
+        Extract protocol from request.
+        
+        Args:
+            request: FastAPI request object
+            
+        Returns:
+            Protocol name (http, https, mtls)
+        """
+        # Check if request is secure (HTTPS)
+        if request.url.scheme:
+            scheme = request.url.scheme.lower()
+            
+            # If HTTPS, check if client certificate is provided (MTLS)
+            if scheme == "https":
+                # Check for client certificate in headers or SSL context
+                if hasattr(request, 'scope') and 'ssl' in request.scope:
+                    ssl_context = request.scope.get('ssl')
+                    if ssl_context and hasattr(ssl_context, 'getpeercert'):
+                        try:
+                            cert = ssl_context.getpeercert()
+                            if cert:
+                                return "mtls"
+                        except:
+                            pass
+                
+                # Check for client certificate in headers
+                if request.headers.get("ssl-client-cert") or request.headers.get("x-client-cert"):
+                    return "mtls"
+                
+                return "https"
+            
+            return scheme
+        
+        # Fallback to checking headers
+        if request.headers.get("x-forwarded-proto"):
+            return request.headers.get("x-forwarded-proto").lower()
+        
+        # Default to HTTP
+        return "http"
+
+
+def setup_protocol_middleware(app, protocol_manager_instance=None):
+    """
+    Setup protocol middleware for FastAPI application.
+    
+    Args:
+        app: FastAPI application
+        protocol_manager_instance: Protocol manager instance (optional)
+    """
+    if protocol_manager_instance is None:
+        protocol_manager_instance = protocol_manager
+    
+    # Only add middleware if protocol management is enabled
+    if protocol_manager_instance.enabled:
+        app.add_middleware(ProtocolMiddleware, protocol_manager_instance=protocol_manager_instance)
+        logger.info("Protocol middleware added to application")
+    else:
+        logger.debug("Protocol management is disabled, skipping protocol middleware") 

mcp_proxy_adapter/api/middleware/rate_limit_adapter.py

@@ -0,0 +1,241 @@
+"""
+Rate Limit Middleware Adapter for backward compatibility.
+
+This module provides an adapter that maintains the same interface as RateLimitMiddleware
+while using the new SecurityMiddleware internally.
+"""
+
+import time
+from typing import Dict, List, Callable, Awaitable, Any
+from collections import defaultdict
+
+from fastapi import Request, Response
+from starlette.responses import JSONResponse
+
+from mcp_proxy_adapter.core.logging import logger
+from .base import BaseMiddleware
+from .security import SecurityMiddleware
+
+
+class RateLimitMiddlewareAdapter(BaseMiddleware):
+    """
+    Adapter for RateLimitMiddleware that uses SecurityMiddleware internally.
+    
+    Maintains the same interface as the original RateLimitMiddleware for backward compatibility.
+    """
+    
+    def __init__(self, app, rate_limit: int = 100, time_window: int = 60, 
+                 by_ip: bool = True, by_user: bool = True,
+                 public_paths: List[str] = None):
+        """
+        Initialize rate limit middleware adapter.
+        
+        Args:
+            app: FastAPI application
+            rate_limit: Maximum number of requests in the specified time period
+            time_window: Time period in seconds
+            by_ip: Limit requests by IP address
+            by_user: Limit requests by user
+            public_paths: List of paths for which rate limiting is not applied
+        """
+        super().__init__(app)
+        
+        # Store original parameters for backward compatibility
+        self.rate_limit = rate_limit
+        self.time_window = time_window
+        self.by_ip = by_ip
+        self.by_user = by_user
+        self.public_paths = public_paths or [
+            "/docs", 
+            "/redoc", 
+            "/openapi.json", 
+            "/health"
+        ]
+        
+        # Legacy storage for backward compatibility
+        self.ip_requests = defaultdict(list)
+        self.user_requests = defaultdict(list)
+        
+        # Create internal security middleware
+        self.security_middleware = self._create_security_middleware()
+        
+        logger.info(f"RateLimitMiddlewareAdapter initialized: rate_limit={rate_limit}, "
+                   f"time_window={time_window}, by_ip={by_ip}, by_user={by_user}")
+    
+    def _create_security_middleware(self) -> SecurityMiddleware:
+        """
+        Create internal SecurityMiddleware with RateLimitMiddleware configuration.
+        
+        Returns:
+            SecurityMiddleware instance
+        """
+        # Convert RateLimitMiddleware config to SecurityMiddleware config
+        security_config = {
+            "security": {
+                "enabled": True,
+                "auth": {
+                    "enabled": False
+                },
+                "ssl": {
+                    "enabled": False
+                },
+                "permissions": {
+                    "enabled": False
+                },
+                "rate_limit": {
+                    "enabled": True,
+                    "requests_per_minute": self.rate_limit,
+                    "requests_per_hour": self.rate_limit * 60,
+                    "burst_limit": self.rate_limit // 10,
+                    "by_ip": self.by_ip,
+                    "by_user": self.by_user
+                },
+                "public_paths": self.public_paths
+            }
+        }
+        
+        return SecurityMiddleware(self.app, security_config)
+    
+    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Process request using internal SecurityMiddleware with legacy fallback.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        # Check if path is public
+        path = request.url.path
+        if self._is_public_path(path):
+            return await call_next(request)
+        
+        # Try to use SecurityMiddleware first
+        try:
+            await self.security_middleware.before_request(request)
+            return await call_next(request)
+            
+        except Exception as e:
+            # Fallback to legacy rate limiting if SecurityMiddleware fails
+            logger.warning(f"SecurityMiddleware rate limiting failed, using legacy fallback: {e}")
+            return await self._legacy_rate_limit_check(request, call_next)
+    
+    async def _legacy_rate_limit_check(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Legacy rate limiting implementation as fallback.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        current_time = time.time()
+        client_ip = request.client.host if request.client else "unknown"
+        username = getattr(request.state, "username", None)
+        
+        # Check limit by IP
+        if self.by_ip and client_ip != "unknown":
+            self._clean_old_requests(self.ip_requests[client_ip], current_time)
+            
+            if len(self.ip_requests[client_ip]) >= self.rate_limit:
+                logger.warning(f"Rate limit exceeded for IP: {client_ip}")
+                return self._create_error_response("Rate limit exceeded", 429)
+            
+            self.ip_requests[client_ip].append(current_time)
+        
+        # Check limit by user
+        if self.by_user and username:
+            self._clean_old_requests(self.user_requests[username], current_time)
+            
+            if len(self.user_requests[username]) >= self.rate_limit:
+                logger.warning(f"Rate limit exceeded for user: {username}")
+                return self._create_error_response("Rate limit exceeded", 429)
+            
+            self.user_requests[username].append(current_time)
+        
+        return await call_next(request)
+    
+    def _clean_old_requests(self, requests_list: List[float], current_time: float) -> None:
+        """
+        Remove old requests from the list.
+        
+        Args:
+            requests_list: List of request timestamps
+            current_time: Current time
+        """
+        cutoff_time = current_time - self.time_window
+        requests_list[:] = [req_time for req_time in requests_list if req_time > cutoff_time]
+    
+    def _is_public_path(self, path: str) -> bool:
+        """
+        Check if the path is public (doesn't require rate limiting).
+        
+        Args:
+            path: Request path
+            
+        Returns:
+            True if path is public, False otherwise
+        """
+        return any(path.startswith(public_path) for public_path in self.public_paths)
+    
+    def _create_error_response(self, message: str, status_code: int) -> JSONResponse:
+        """
+        Create error response in RateLimitMiddleware format.
+        
+        Args:
+            message: Error message
+            status_code: HTTP status code
+            
+        Returns:
+            JSONResponse with error
+        """
+        return JSONResponse(
+            status_code=status_code,
+            content={
+                "jsonrpc": "2.0",
+                "error": {
+                    "code": -32008 if status_code == 429 else -32603,
+                    "message": message,
+                    "data": {
+                        "rate_limit": self.rate_limit,
+                        "time_window": self.time_window,
+                        "status_code": status_code
+                    }
+                },
+                "id": None
+            }
+        )
+    
+    def get_rate_limit_info(self, request: Request) -> Dict[str, Any]:
+        """
+        Get rate limit information for the request (backward compatibility).
+        
+        Args:
+            request: Request object
+            
+        Returns:
+            Dictionary with rate limit information
+        """
+        client_ip = request.client.host if request.client else "unknown"
+        username = getattr(request.state, "username", None)
+        
+        info = {
+            "rate_limit": self.rate_limit,
+            "time_window": self.time_window,
+            "by_ip": self.by_ip,
+            "by_user": self.by_user
+        }
+        
+        if self.by_ip and client_ip != "unknown":
+            info["ip_requests"] = len(self.ip_requests[client_ip])
+            info["ip_remaining"] = max(0, self.rate_limit - len(self.ip_requests[client_ip]))
+        
+        if self.by_user and username:
+            info["user_requests"] = len(self.user_requests[username])
+            info["user_remaining"] = max(0, self.rate_limit - len(self.user_requests[username]))
+        
+        return info