mcp-proxy-adapter 4.1.1__py3-none-any.whl → 6.0.1__py3-none-any.whl

mcp_proxy_adapter/core/server_engine.py

@@ -0,0 +1,270 @@
+"""
+Server Engine Abstraction
+
+This module provides an abstraction layer for the hypercorn ASGI server engine,
+providing full mTLS support and SSL capabilities.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import logging
+from abc import ABC, abstractmethod
+from typing import Dict, Any, Optional
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+
+class ServerEngine(ABC):
+    """
+    Abstract base class for server engines.
+    
+    This class defines the interface that all server engines must implement,
+    allowing the framework to work with different ASGI servers transparently.
+    """
+    
+    @abstractmethod
+    def get_name(self) -> str:
+        """Get the name of the server engine."""
+        pass
+    
+    @abstractmethod
+    def get_supported_features(self) -> Dict[str, bool]:
+        """
+        Get supported features of this server engine.
+        
+        Returns:
+            Dictionary mapping feature names to boolean support status
+        """
+        pass
+    
+    @abstractmethod
+    def get_config_schema(self) -> Dict[str, Any]:
+        """
+        Get configuration schema for this server engine.
+        
+        Returns:
+            Dictionary describing the configuration options
+        """
+        pass
+    
+    @abstractmethod
+    def validate_config(self, config: Dict[str, Any]) -> bool:
+        """
+        Validate configuration for this server engine.
+        
+        Args:
+            config: Configuration dictionary
+            
+        Returns:
+            True if configuration is valid, False otherwise
+        """
+        pass
+    
+    @abstractmethod
+    def run_server(self, app: Any, config: Dict[str, Any]) -> None:
+        """
+        Run the server with the given configuration.
+        
+        Args:
+            app: ASGI application
+            config: Server configuration
+        """
+        pass
+
+
+class HypercornEngine(ServerEngine):
+    """
+    Hypercorn server engine implementation.
+    
+    Provides full mTLS support and better SSL capabilities.
+    """
+    
+    def get_name(self) -> str:
+        return "hypercorn"
+    
+    def get_supported_features(self) -> Dict[str, bool]:
+        return {
+            "ssl_tls": True,
+            "mtls_client_certs": True,   # Full support
+            "ssl_scope_info": True,      # SSL info in request scope
+            "client_cert_verification": True,
+            "websockets": True,
+            "http2": True,
+            "reload": True
+        }
+    
+    def get_config_schema(self) -> Dict[str, Any]:
+        return {
+            "host": {"type": "string", "default": "127.0.0.1"},
+            "port": {"type": "integer", "default": 8000},
+            "log_level": {"type": "string", "default": "INFO"},
+            "certfile": {"type": "string", "optional": True},
+            "keyfile": {"type": "string", "optional": True},
+            "ca_certs": {"type": "string", "optional": True},
+            "verify_mode": {"type": "string", "optional": True},
+            "reload": {"type": "boolean", "default": False},
+            "workers": {"type": "integer", "optional": True}
+        }
+    
+    def validate_config(self, config: Dict[str, Any]) -> bool:
+        """Validate hypercorn configuration."""
+        required_fields = ["host", "port"]
+        
+        for field in required_fields:
+            if field not in config:
+                logger.error(f"Missing required field: {field}")
+                return False
+        
+        # Validate SSL files exist if specified
+        ssl_files = ["certfile", "keyfile", "ca_certs"]
+        for ssl_file in ssl_files:
+            if ssl_file in config and config[ssl_file]:
+                if not Path(config[ssl_file]).exists():
+                    logger.error(f"SSL file not found: {config[ssl_file]}")
+                    return False
+        
+        return True
+    
+    def run_server(self, app: Any, config: Dict[str, Any]) -> None:
+        """Run hypercorn server."""
+        try:
+            import hypercorn.asyncio
+            import asyncio
+            
+            # Prepare hypercorn config
+            hypercorn_config = {
+                "bind": f"{config.get('host', '127.0.0.1')}:{config.get('port', 8000)}",
+                "log_level": config.get("log_level", "INFO"),
+                "reload": config.get("reload", False)
+            }
+            
+            # Add SSL configuration if provided
+            logger.info(f"🔍 DEBUG: Input config keys: {list(config.keys())}")
+            logger.info(f"🔍 DEBUG: Input config certfile: {config.get('certfile', 'NOT_FOUND')}")
+            logger.info(f"🔍 DEBUG: Input config keyfile: {config.get('keyfile', 'NOT_FOUND')}")
+            logger.info(f"🔍 DEBUG: Input config ca_certs: {config.get('ca_certs', 'NOT_FOUND')}")
+            logger.info(f"🔍 DEBUG: Input config verify_mode: {config.get('verify_mode', 'NOT_FOUND')}")
+            
+            if "certfile" in config and config["certfile"]:
+                hypercorn_config["certfile"] = config["certfile"]
+            if "keyfile" in config and config["keyfile"]:
+                hypercorn_config["keyfile"] = config["keyfile"]
+            if "ca_certs" in config and config["ca_certs"]:
+                hypercorn_config["ca_certs"] = config["ca_certs"]
+            if "verify_mode" in config and config["verify_mode"]:
+                # Convert verify_mode string to SSL constant
+                verify_mode_str = config["verify_mode"]
+                if verify_mode_str == "CERT_NONE":
+                    import ssl
+                    hypercorn_config["verify_mode"] = ssl.CERT_NONE
+                elif verify_mode_str == "CERT_REQUIRED":
+                    import ssl
+                    hypercorn_config["verify_mode"] = ssl.CERT_REQUIRED
+                elif verify_mode_str == "CERT_OPTIONAL":
+                    import ssl
+                    hypercorn_config["verify_mode"] = ssl.CERT_OPTIONAL
+                else:
+                    hypercorn_config["verify_mode"] = verify_mode_str
+            
+            # Add workers if specified
+            if "workers" in config and config["workers"]:
+                hypercorn_config["workers"] = config["workers"]
+            
+            logger.info(f"Starting hypercorn server with config: {hypercorn_config}")
+            logger.info(f"SSL config from input: {config.get('ssl', 'NOT_FOUND')}")
+            logger.info(f"Security SSL config: {config.get('security', {}).get('ssl', 'NOT_FOUND')}")
+            logger.info(f"🔍 DEBUG: Hypercorn verify_mode: {hypercorn_config.get('verify_mode', 'NOT_SET')}")
+            logger.info(f"🔍 DEBUG: Hypercorn ca_certs: {hypercorn_config.get('ca_certs', 'NOT_SET')}")
+            
+            # Create config object
+            config_obj = hypercorn.Config()
+            for key, value in hypercorn_config.items():
+                setattr(config_obj, key, value)
+            
+            # Run server
+            asyncio.run(hypercorn.asyncio.serve(app, config_obj))
+            
+        except ImportError:
+            logger.error("hypercorn not installed. Install with: pip install hypercorn")
+            raise
+        except Exception as e:
+            logger.error(f"Failed to start hypercorn server: {e}")
+            raise
+
+
+class ServerEngineFactory:
+    """
+    Factory for creating server engines.
+    
+    This class manages the creation and configuration of different server engines.
+    """
+    
+    _engines: Dict[str, ServerEngine] = {}
+    
+    @classmethod
+    def register_engine(cls, engine: ServerEngine) -> None:
+        """
+        Register a server engine.
+        
+        Args:
+            engine: Server engine instance to register
+        """
+        cls._engines[engine.get_name()] = engine
+        logger.info(f"Registered server engine: {engine.get_name()}")
+    
+    @classmethod
+    def get_engine(cls, name: str) -> Optional[ServerEngine]:
+        """
+        Get a server engine by name.
+        
+        Args:
+            name: Name of the server engine
+            
+        Returns:
+            Server engine instance or None if not found
+        """
+        return cls._engines.get(name)
+    
+    @classmethod
+    def get_available_engines(cls) -> Dict[str, ServerEngine]:
+        """
+        Get all available server engines.
+        
+        Returns:
+            Dictionary mapping engine names to engine instances
+        """
+        return cls._engines.copy()
+    
+    @classmethod
+    def get_engine_with_feature(cls, feature: str) -> Optional[ServerEngine]:
+        """
+        Get the first available engine that supports a specific feature.
+        
+        Args:
+            feature: Name of the feature to check
+            
+        Returns:
+            Server engine that supports the feature or None
+        """
+        for engine in cls._engines.values():
+            if engine.get_supported_features().get(feature, False):
+                return engine
+        return None
+    
+    @classmethod
+    def initialize_default_engines(cls) -> None:
+        """Initialize default server engines."""
+        # Register hypercorn engine (only supported engine)
+        try:
+            import hypercorn
+            cls.register_engine(HypercornEngine())
+            logger.info("Hypercorn engine registered (full mTLS support available)")
+        except ImportError:
+            logger.error("Hypercorn not available - this is required for the framework")
+            raise
+
+
+# Initialize default engines
+ServerEngineFactory.initialize_default_engines()

mcp_proxy_adapter/core/settings.py

@@ -117,6 +117,7 @@ class Settings:
         return {
             "auto_discovery": config.get("commands.auto_discovery", True),
             "discovery_path": config.get("commands.discovery_path", "mcp_proxy_adapter.commands"),
+            "auto_commands_path": config.get("commands.auto_commands_path"),
             "custom_commands_path": config.get("commands.custom_commands_path")
         }
     

mcp_proxy_adapter/core/ssl_utils.py

@@ -0,0 +1,234 @@
+"""
+SSL Utilities Module
+
+This module provides utilities for SSL/TLS configuration and certificate validation.
+Integrates with AuthValidator from Phase 0 for certificate validation.
+
+Author: MCP Proxy Adapter Team
+Version: 1.0.0
+"""
+
+import ssl
+import logging
+from typing import List, Optional, Dict, Any
+from pathlib import Path
+
+from .auth_validator import AuthValidator
+
+logger = logging.getLogger(__name__)
+
+
+class SSLUtils:
+    """
+    SSL utilities for creating SSL contexts and validating certificates.
+    """
+    
+    # TLS version mapping
+    TLS_VERSIONS = {
+        "1.0": ssl.TLSVersion.TLSv1,
+        "1.1": ssl.TLSVersion.TLSv1_1,
+        "1.2": ssl.TLSVersion.TLSv1_2,
+        "1.3": ssl.TLSVersion.TLSv1_3
+    }
+    
+    # Cipher suite mapping
+    CIPHER_SUITES = {
+        "TLS_AES_256_GCM_SHA384": "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256": "TLS_CHACHA20_POLY1305_SHA256",
+        "TLS_AES_128_GCM_SHA256": "TLS_AES_128_GCM_SHA256",
+        "ECDHE-RSA-AES256-GCM-SHA384": "ECDHE-RSA-AES256-GCM-SHA384",
+        "ECDHE-RSA-AES128-GCM-SHA256": "ECDHE-RSA-AES128-GCM-SHA256",
+        "ECDHE-RSA-CHACHA20-POLY1305": "ECDHE-RSA-CHACHA20-POLY1305"
+    }
+    
+    @staticmethod
+    def create_ssl_context(cert_file: str, key_file: str, 
+                          ca_cert: Optional[str] = None, 
+                          verify_client: bool = False,
+                          cipher_suites: Optional[List[str]] = None,
+                          min_tls_version: str = "1.2",
+                          max_tls_version: str = "1.3") -> ssl.SSLContext:
+        """
+        Create SSL context with specified configuration.
+        
+        Args:
+            cert_file: Path to certificate file
+            key_file: Path to private key file
+            ca_cert: Path to CA certificate file (optional)
+            verify_client: Whether to verify client certificates
+            cipher_suites: List of cipher suites to use
+            min_tls_version: Minimum TLS version
+            max_tls_version: Maximum TLS version
+            
+        Returns:
+            Configured SSL context
+            
+        Raises:
+            ValueError: If certificate validation fails
+            FileNotFoundError: If certificate or key files not found
+        """
+        # Validate certificate using AuthValidator
+        validator = AuthValidator()
+        result = validator.validate_certificate(cert_file)
+        if not result.is_valid:
+            raise ValueError(f"Invalid certificate: {result.error_message}")
+        
+        # Check if files exist
+        if not Path(cert_file).exists():
+            raise FileNotFoundError(f"Certificate file not found: {cert_file}")
+        if not Path(key_file).exists():
+            raise FileNotFoundError(f"Key file not found: {key_file}")
+        if ca_cert and not Path(ca_cert).exists():
+            raise FileNotFoundError(f"CA certificate file not found: {ca_cert}")
+        
+        # Create SSL context
+        if verify_client:
+            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        else:
+            context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        
+        # Load certificate and key
+        context.load_cert_chain(cert_file, key_file)
+        
+        # Load CA certificate if provided
+        if ca_cert:
+            context.load_verify_locations(ca_cert)
+        
+        # Configure client verification
+        if verify_client:
+            context.verify_mode = ssl.CERT_REQUIRED
+            context.check_hostname = False
+        else:
+            context.verify_mode = ssl.CERT_NONE
+        
+        # Setup cipher suites
+        SSLUtils.setup_cipher_suites(context, cipher_suites or [])
+        
+        # Setup TLS versions
+        SSLUtils.setup_tls_versions(context, min_tls_version, max_tls_version)
+        
+        logger.info(f"SSL context created successfully with cert: {cert_file}")
+        return context
+    
+    @staticmethod
+    def validate_certificate(cert_file: str) -> bool:
+        """
+        Validate certificate using AuthValidator.
+        
+        Args:
+            cert_file: Path to certificate file
+            
+        Returns:
+            True if certificate is valid, False otherwise
+        """
+        try:
+            validator = AuthValidator()
+            result = validator.validate_certificate(cert_file)
+            return result.is_valid
+        except Exception as e:
+            logger.error(f"Certificate validation failed: {e}")
+            return False
+    
+    @staticmethod
+    def setup_cipher_suites(context: ssl.SSLContext, cipher_suites: List[str]) -> None:
+        """
+        Setup cipher suites for SSL context.
+        
+        Args:
+            context: SSL context to configure
+            cipher_suites: List of cipher suite names
+        """
+        if not cipher_suites:
+            return
+        
+        # Convert cipher suite names to actual cipher suite strings
+        actual_ciphers = []
+        for cipher_name in cipher_suites:
+            if cipher_name in SSLUtils.CIPHER_SUITES:
+                actual_ciphers.append(SSLUtils.CIPHER_SUITES[cipher_name])
+            else:
+                logger.warning(f"Unknown cipher suite: {cipher_name}")
+        
+        if actual_ciphers:
+            try:
+                context.set_ciphers(":".join(actual_ciphers))
+                logger.info(f"Cipher suites configured: {actual_ciphers}")
+            except ssl.SSLError as e:
+                logger.error(f"Failed to set cipher suites: {e}")
+    
+    @staticmethod
+    def setup_tls_versions(context: ssl.SSLContext, min_version: str, max_version: str) -> None:
+        """
+        Setup TLS version range for SSL context.
+        
+        Args:
+            context: SSL context to configure
+            min_version: Minimum TLS version
+            max_version: Maximum TLS version
+        """
+        try:
+            min_tls = SSLUtils.TLS_VERSIONS.get(min_version)
+            max_tls = SSLUtils.TLS_VERSIONS.get(max_version)
+            
+            if min_tls and max_tls:
+                context.minimum_version = min_tls
+                context.maximum_version = max_tls
+                logger.info(f"TLS versions configured: {min_version} - {max_version}")
+            else:
+                logger.warning(f"Invalid TLS version range: {min_version} - {max_version}")
+        except Exception as e:
+            logger.error(f"Failed to set TLS versions: {e}")
+    
+    @staticmethod
+    def check_tls_version(min_version: str, max_version: str) -> bool:
+        """
+        Check if TLS version range is valid.
+        
+        Args:
+            min_version: Minimum TLS version
+            max_version: Maximum TLS version
+            
+        Returns:
+            True if version range is valid, False otherwise
+        """
+        min_tls = SSLUtils.TLS_VERSIONS.get(min_version)
+        max_tls = SSLUtils.TLS_VERSIONS.get(max_version)
+        
+        if not min_tls or not max_tls:
+            return False
+        
+        # Check if min version is less than or equal to max version
+        return min_tls <= max_tls
+    
+    @staticmethod
+    def get_ssl_config_for_hypercorn(ssl_config: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Get SSL configuration for hypercorn from transport configuration.
+        
+        Args:
+            ssl_config: SSL configuration from transport manager
+            
+        Returns:
+            Configuration for hypercorn
+        """
+        hypercorn_ssl = {}
+        
+        if not ssl_config:
+            return hypercorn_ssl
+        
+        # Basic SSL parameters
+        if ssl_config.get("cert_file"):
+            hypercorn_ssl["certfile"] = ssl_config["cert_file"]
+        
+        if ssl_config.get("key_file"):
+            hypercorn_ssl["keyfile"] = ssl_config["key_file"]
+        
+        if ssl_config.get("ca_cert"):
+            hypercorn_ssl["ca_certs"] = ssl_config["ca_cert"]
+        
+        # Client verification mode
+        if ssl_config.get("verify_client", False):
+            hypercorn_ssl["verify_mode"] = "CERT_REQUIRED"
+        
+        logger.info(f"Generated hypercorn SSL config: {hypercorn_ssl}")
+        return hypercorn_ssl