mcp-proxy-adapter 4.1.1__py3-none-any.whl → 6.0.1__py3-none-any.whl

mcp_proxy_adapter/api/middleware/transport_middleware.py

@@ -0,0 +1,122 @@
+"""
+Transport Middleware Module
+
+This module provides middleware for transport validation in the MCP Proxy Adapter.
+"""
+
+from typing import Callable
+from fastapi import Request, Response
+from fastapi.responses import JSONResponse
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from mcp_proxy_adapter.core.transport_manager import transport_manager
+from mcp_proxy_adapter.core.logging import logger
+
+
+class TransportMiddleware(BaseHTTPMiddleware):
+    """Middleware for transport validation."""
+    
+    def __init__(self, app, transport_manager_instance=None):
+        """
+        Initialize transport middleware.
+        
+        Args:
+            app: FastAPI application
+            transport_manager_instance: Transport manager instance (optional)
+        """
+        super().__init__(app)
+        self.transport_manager = transport_manager_instance or transport_manager
+    
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        """
+        Process request through transport middleware.
+        
+        Args:
+            request: Incoming request
+            call_next: Next middleware/endpoint
+            
+        Returns:
+            Response from next middleware/endpoint or error response
+        """
+        # Determine transport type from request
+        transport_type = self._get_request_transport_type(request)
+        
+        # Check if request matches configured transport
+        if not self._is_transport_allowed(transport_type):
+            configured_type = self.transport_manager.get_transport_type()
+            configured_type_str = configured_type.value if configured_type else "not configured"
+            logger.warning(f"Transport not allowed: {transport_type} for {request.url}")
+            return JSONResponse(
+                status_code=403,
+                content={
+                    "error": "Transport not allowed",
+                    "message": f"Transport '{transport_type}' is not allowed. Configured transport: {configured_type_str}",
+                    "configured_transport": configured_type_str,
+                    "request_url": str(request.url)
+                }
+            )
+        
+        # Add transport info to request state
+        request.state.transport_type = transport_type
+        request.state.transport_allowed = True
+        
+        response = await call_next(request)
+        return response
+    
+    def _get_request_transport_type(self, request: Request) -> str:
+        """
+        Determine transport type from request.
+        
+        Args:
+            request: Incoming request
+            
+        Returns:
+            Transport type string
+        """
+        if request.url.scheme == "https":
+            # Check for client certificate for MTLS
+            if self._has_client_certificate(request):
+                return "mtls"
+            return "https"
+        return "http"
+    
+    def _has_client_certificate(self, request: Request) -> bool:
+        """
+        Check if request has client certificate.
+        
+        Args:
+            request: Incoming request
+            
+        Returns:
+            True if client certificate is present, False otherwise
+        """
+        # Check for client certificate in request headers or SSL context
+        # This is a simplified check - in production, you might need more sophisticated detection
+        client_cert_header = request.headers.get("ssl-client-cert")
+        if client_cert_header:
+            return True
+        
+        # Check if request has SSL client certificate context
+        if hasattr(request, "client") and request.client:
+            # In a real implementation, you would check the SSL context
+            # For now, we'll assume HTTPS with client cert is MTLS
+            return self.transport_manager.is_mtls()
+        
+        return False
+    
+    def _is_transport_allowed(self, transport_type: str) -> bool:
+        """
+        Check if transport type is allowed.
+        
+        Args:
+            transport_type: Transport type to check
+            
+        Returns:
+            True if transport is allowed, False otherwise
+        """
+        configured_type = self.transport_manager.get_transport_type()
+        if not configured_type:
+            logger.error("Transport not configured")
+            return False
+        
+        return transport_type == configured_type.value 

mcp_proxy_adapter/api/middleware/unified_security.py

@@ -0,0 +1,197 @@
+"""
+Unified Security Middleware - Direct Framework Integration
+
+This middleware now directly uses mcp_security_framework components
+instead of custom implementations.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import time
+import logging
+from typing import Dict, Any, Optional, Callable, Awaitable
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+# Direct import from framework
+try:
+    from mcp_security_framework.middleware.fastapi_middleware import FastAPISecurityMiddleware
+    from mcp_security_framework import SecurityManager
+    from mcp_security_framework.schemas.config import SecurityConfig
+    SECURITY_FRAMEWORK_AVAILABLE = True
+except ImportError:
+    SECURITY_FRAMEWORK_AVAILABLE = False
+    FastAPISecurityMiddleware = None
+    SecurityManager = None
+    SecurityConfig = None
+
+from mcp_proxy_adapter.core.logging import logger
+from mcp_proxy_adapter.core.security_integration import create_security_integration
+
+
+class SecurityValidationError(Exception):
+    """Security validation error."""
+    
+    def __init__(self, message: str, error_code: int):
+        self.message = message
+        self.error_code = error_code
+        super().__init__(self.message)
+
+
+class UnifiedSecurityMiddleware(BaseHTTPMiddleware):
+    """
+    Unified security middleware using mcp_security_framework.
+    
+    This middleware now directly uses the security framework's FastAPI middleware
+    and components instead of custom implementations.
+    """
+    
+    def __init__(self, app, config: Dict[str, Any]):
+        """
+        Initialize unified security middleware.
+        
+        Args:
+            app: FastAPI application
+            config: mcp_proxy_adapter configuration dictionary
+        """
+        super().__init__(app)
+        self.config = config
+        
+        # Create security integration
+        try:
+            security_config = config.get("security", {})
+            self.security_integration = create_security_integration(security_config)
+            # Use framework's FastAPI middleware
+            self.framework_middleware = self.security_integration.security_manager.create_fastapi_middleware()
+            logger.info("Using mcp_security_framework FastAPI middleware")
+            # IMPORTANT: Don't replace self.app! This breaks the middleware chain.
+            # Instead, store the framework middleware for use in dispatch method.
+            logger.info("Framework middleware will be used in dispatch method")
+        except Exception as e:
+            logger.error(f"Security framework integration failed: {e}")
+            # Instead of raising error, log warning and continue without security
+            logger.warning("Continuing without security framework - some security features will be disabled")
+            self.security_integration = None
+            self.framework_middleware = None
+            # Keep original app in place when framework middleware is unavailable
+            # BaseHTTPMiddleware initialized it via super().__init__(app)
+        
+        logger.info("Unified security middleware initialized")
+    
+    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Process request using framework middleware.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        try:
+            # Simple built-in API key enforcement if configured
+            security_cfg = self.config.get("security", {}) if isinstance(self.config, dict) else {}
+            auth_cfg = security_cfg.get("auth", {})
+            permissions_cfg = security_cfg.get("permissions", {})
+            public_paths = set(auth_cfg.get("public_paths", ["/health", "/docs", "/openapi.json"]))
+            # JSON-RPC endpoint must not be public when API key is required
+            public_paths.discard("/api/jsonrpc")
+            path = request.url.path
+            methods = set(auth_cfg.get("methods", []))
+            api_keys: Dict[str, str] = auth_cfg.get("api_keys", {}) or {}
+
+            # Enforce only for non-public paths when api_key method configured
+            if security_cfg.get("enabled", False) and ("api_key" in methods) and (path not in public_paths):
+                # Accept either X-API-Key or Authorization: Bearer
+                token = request.headers.get("X-API-Key")
+                if not token:
+                    authz = request.headers.get("Authorization", "")
+                    if authz.startswith("Bearer "):
+                        token = authz[7:]
+                if not token or (api_keys and token not in api_keys):
+                    from fastapi.responses import JSONResponse
+                    return JSONResponse(status_code=401, content={
+                        "error": {
+                            "code": 401,
+                            "message": "Unauthorized: invalid or missing API key",
+                            "type": "authentication_error"
+                        }
+                    })
+
+            # Continue with framework middleware or regular flow
+            if self.framework_middleware:
+                # If framework middleware exists, we need to call it manually
+                # This is a workaround since we can't chain ASGI apps in BaseHTTPMiddleware
+                logger.debug("Framework middleware exists, continuing with regular call_next")
+                return await call_next(request)
+            else:
+                # No framework middleware, continue normally
+                return await call_next(request)
+
+        except SecurityValidationError as e:
+            # Handle security validation errors
+            return await self._handle_security_error(request, e)
+        except Exception as e:
+            # Handle other errors
+            logger.error(f"Unexpected error in unified security middleware: {e}")
+            return await self._handle_general_error(request, e)
+    
+
+    
+    async def _handle_security_error(self, request: Request, error: SecurityValidationError) -> Response:
+        """
+        Handle security validation errors.
+        
+        Args:
+            request: Request object
+            error: Security validation error
+            
+        Returns:
+            Error response
+        """
+        from fastapi.responses import JSONResponse
+        
+        error_response = {
+            "error": {
+                "code": error.error_code,
+                "message": error.message,
+                "type": "security_validation_error"
+            }
+        }
+        
+        logger.warning(f"Security validation failed: {error.message}")
+        
+        return JSONResponse(
+            status_code=error.error_code,
+            content=error_response
+        )
+    
+    async def _handle_general_error(self, request: Request, error: Exception) -> Response:
+        """
+        Handle general errors.
+        
+        Args:
+            request: Request object
+            error: General error
+            
+        Returns:
+            Error response
+        """
+        from fastapi.responses import JSONResponse
+        
+        error_response = {
+                "error": {
+                "code": 500,
+                    "message": "Internal server error",
+                "type": "general_error"
+            }
+        }
+        
+        logger.error(f"General error in security middleware: {error}")
+        
+        return JSONResponse(
+            status_code=500,
+            content=error_response
+        )

mcp_proxy_adapter/api/middleware/user_info_middleware.py

@@ -0,0 +1,158 @@
+"""
+User Info Middleware
+
+This middleware extracts user information from authentication headers
+and sets it in request.state for use by commands.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import logging
+from typing import Dict, Any, Optional, Callable, Awaitable
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from mcp_proxy_adapter.core.logging import logger
+
+# Import mcp_security_framework components
+try:
+    from mcp_security_framework import AuthManager
+    from mcp_security_framework.schemas.config import AuthConfig
+    _MCP_SECURITY_AVAILABLE = True
+    print("✅ mcp_security_framework available in middleware")
+except ImportError:
+    _MCP_SECURITY_AVAILABLE = False
+    print("⚠️ mcp_security_framework not available in middleware, using basic auth")
+
+
+class UserInfoMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware for setting user information in request.state.
+    
+    This middleware extracts user information from authentication headers
+    and sets it in request.state for use by commands.
+    """
+    
+    def __init__(self, app, config: Dict[str, Any]):
+        """
+        Initialize user info middleware.
+
+        Args:
+            app: FastAPI application
+            config: Configuration dictionary
+        """
+        super().__init__(app)
+        self.config = config
+
+        # Initialize AuthManager if available
+        self.auth_manager = None
+        self._security_available = _MCP_SECURITY_AVAILABLE
+
+        if self._security_available:
+            try:
+                # Get API keys configuration
+                security_config = config.get("security", {})
+                auth_config = security_config.get("auth", {})
+
+                # Create AuthConfig for mcp_security_framework
+                mcp_auth_config = AuthConfig(
+                    enabled=True,
+                    methods=["api_key"],
+                    api_keys=auth_config.get("api_keys", {})
+                )
+
+                self.auth_manager = AuthManager(mcp_auth_config)
+                logger.info("✅ User info middleware initialized with mcp_security_framework")
+            except Exception as e:
+                logger.warning(f"⚠️ Failed to initialize AuthManager: {e}")
+                self._security_available = False
+
+        if not self._security_available:
+            # Fallback to basic API key handling
+            security_config = config.get("security", {})
+            auth_config = security_config.get("auth", {})
+            self.api_keys = auth_config.get("api_keys", {})
+            logger.info("ℹ️ User info middleware initialized with basic auth")
+    
+    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Process request and set user info in request.state.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        # Extract API key from headers
+        api_key = request.headers.get("X-API-Key")
+        
+        if api_key:
+            if self.auth_manager and self._security_available:
+                try:
+                    # Use mcp_security_framework AuthManager
+                    auth_result = self.auth_manager.authenticate_api_key(api_key)
+
+                    if auth_result.is_valid:
+                        # Set user info from AuthManager result
+                        request.state.user = {
+                            "id": api_key,
+                            "role": auth_result.roles[0] if auth_result.roles else "guest",
+                            "roles": auth_result.roles or ["guest"],
+                            "permissions": getattr(auth_result, 'permissions', ["read"])
+                        }
+                        logger.debug(f"✅ Authenticated user with mcp_security_framework: {request.state.user}")
+                    else:
+                        # Authentication failed
+                        request.state.user = {
+                            "id": None,
+                            "role": "guest",
+                            "roles": ["guest"],
+                            "permissions": ["read"]
+                        }
+                        logger.debug(f"❌ Authentication failed for API key: {api_key[:8]}...")
+                except Exception as e:
+                    logger.warning(f"⚠️ AuthManager error: {e}, falling back to basic auth")
+                    self._security_available = False
+
+            if not self._security_available:
+                # Fallback to basic API key handling
+                if api_key in getattr(self, 'api_keys', {}):
+                    user_role = self.api_keys[api_key]
+
+                    # Get permissions for this role from roles file if available
+                    role_permissions = ["read"]  # default permissions
+                    if hasattr(self, 'roles_config') and self.roles_config and user_role in self.roles_config:
+                        role_permissions = self.roles_config[user_role].get("permissions", ["read"])
+
+                    # Set user info in request.state
+                    request.state.user = {
+                        "id": api_key,
+                        "role": user_role,
+                        "roles": [user_role],
+                        "permissions": role_permissions
+                    }
+
+                    logger.debug(f"✅ Authenticated user with basic auth: {request.state.user}")
+                else:
+                    # API key not found
+                    request.state.user = {
+                        "id": None,
+                        "role": "guest",
+                        "roles": ["guest"],
+                        "permissions": ["read"]
+                    }
+                    logger.debug(f"❌ API key not found: {api_key[:8]}...")
+        else:
+            # No API key provided - guest access
+            request.state.user = {
+                "id": None,
+                "role": "guest",
+                "roles": ["guest"],
+                "permissions": ["read"]
+            }
+            logger.debug("ℹ️ No API key provided, using guest access")
+        
+        return await call_next(request)

mcp_proxy_adapter/commands/__init__.py

@@ -6,9 +6,15 @@ from mcp_proxy_adapter.commands.base import Command
 from mcp_proxy_adapter.commands.command_registry import registry, CommandRegistry
 from mcp_proxy_adapter.commands.dependency_container import container, DependencyContainer
 from mcp_proxy_adapter.commands.result import CommandResult, SuccessResult, ErrorResult
-
-# Automatically discover and register commands
-registry.discover_commands()
+from mcp_proxy_adapter.commands.auth_validation_command import AuthValidationCommand
+from mcp_proxy_adapter.commands.ssl_setup_command import SSLSetupCommand
+from mcp_proxy_adapter.commands.certificate_management_command import CertificateManagementCommand
+from mcp_proxy_adapter.commands.key_management_command import KeyManagementCommand
+from mcp_proxy_adapter.commands.cert_monitor_command import CertMonitorCommand
+from mcp_proxy_adapter.commands.transport_management_command import TransportManagementCommand
+from mcp_proxy_adapter.commands.role_test_command import RoleTestCommand
+from mcp_proxy_adapter.commands.echo_command import EchoCommand
+from mcp_proxy_adapter.commands.proxy_registration_command import ProxyRegistrationCommand
 
 __all__ = [
     "Command",
@@ -18,5 +24,14 @@ __all__ = [
     "registry",
     "CommandRegistry",
     "container",
-    "DependencyContainer"
+    "DependencyContainer",
+    "AuthValidationCommand",
+    "SSLSetupCommand",
+    "CertificateManagementCommand",
+    "KeyManagementCommand",
+    "CertMonitorCommand",
+    "TransportManagementCommand",
+    "RoleTestCommand",
+    "EchoCommand",
+    "ProxyRegistrationCommand"
 ]