mcp-proxy-adapter 4.1.1__py3-none-any.whl → 6.1.0__py3-none-any.whl

mcp_proxy_adapter/core/mtls_asgi.py

@@ -0,0 +1,156 @@
+"""
+Custom ASGI application for mTLS support.
+
+This module provides a custom ASGI application that properly handles
+client certificates in mTLS connections.
+"""
+
+import ssl
+import logging
+from typing import Dict, Any, Optional
+from starlette.applications import Starlette
+from starlette.requests import Request
+from starlette.responses import Response
+from starlette.types import ASGIApp, Receive, Send, Scope
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSASGIApp:
+    """
+    Custom ASGI application that properly handles mTLS client certificates.
+    
+    This wrapper ensures that client certificates are properly extracted
+    and made available to the FastAPI application.
+    """
+    
+    def __init__(self, app: ASGIApp, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI application.
+        
+        Args:
+            app: The underlying ASGI application (FastAPI)
+            ssl_config: SSL configuration for mTLS
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.verify_client = ssl_config.get("verify_client", False)
+        self.client_cert_required = ssl_config.get("client_cert_required", False)
+        
+        logger.info(f"MTLS ASGI app initialized: verify_client={self.verify_client}, "
+                   f"client_cert_required={self.client_cert_required}")
+    
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """
+        Handle ASGI request with mTLS support.
+        
+        Args:
+            scope: ASGI scope
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    logger.debug(f"Client certificate extracted: {client_cert.get('subject', {})}")
+                elif self.client_cert_required:
+                    logger.warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+            
+            # Call the underlying application
+            await self.app(scope, receive, send)
+            
+        except Exception as e:
+            logger.error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+    
+    def _extract_client_certificate(self, scope: Scope) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+        
+        Args:
+            scope: ASGI scope
+            
+        Returns:
+            Client certificate data or None
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                return None
+            
+            # Get peer certificate
+            cert = ssl_context.getpeercert()
+            if cert:
+                return cert
+            
+            return None
+            
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    
+    async def _send_unauthorized_response(self, send: Send) -> None:
+        """
+        Send 401 Unauthorized response.
+        
+        Args:
+            send: ASGI send callable
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"163"),
+            ],
+        }
+        await send(response)
+        
+        body = b'{"jsonrpc": "2.0", "error": {"code": -32001, "message": "Unauthorized: Client certificate required"}, "id": null}'
+        await send({"type": "http.response.body", "body": body})
+    
+    async def _send_error_response(self, send: Send, error_message: str) -> None:
+        """
+        Send error response.
+        
+        Args:
+            send: ASGI send callable
+            error_message: Error message
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+            ],
+        }
+        await send(response)
+        
+        body = f'{{"jsonrpc": "2.0", "error": {{"code": -32603, "message": "Internal error: {error_message}"}}, "id": null}}'.encode()
+        await send({"type": "http.response.body", "body": body})
+
+
+def create_mtls_asgi_app(app: ASGIApp, ssl_config: Dict[str, Any]) -> ASGIApp:
+    """
+    Create MTLS-enabled ASGI application.
+    
+    Args:
+        app: The underlying ASGI application (FastAPI)
+        ssl_config: SSL configuration for mTLS
+        
+    Returns:
+        MTLS-enabled ASGI application
+    """
+    if ssl_config.get("mode") == "mtls" or ssl_config.get("verify_client", False):
+        logger.info("Creating MTLS-enabled ASGI application")
+        return MTLSASGIApp(app, ssl_config)
+    else:
+        logger.info("Creating standard ASGI application (no mTLS)")
+        return app

mcp_proxy_adapter/core/mtls_asgi_app.py

@@ -0,0 +1,187 @@
+"""
+MTLS ASGI Application Wrapper
+
+This module provides an ASGI application wrapper that extracts client certificates
+from the SSL context and makes them available to FastAPI middleware.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+Version: 1.0.0
+"""
+
+import logging
+import ssl
+from typing import Dict, Any, Optional
+from cryptography import x509
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSASGIApp:
+    """
+    ASGI application wrapper for mTLS support.
+    
+    Extracts client certificates from SSL context and stores them in ASGI scope
+    for access by FastAPI middleware.
+    """
+    
+    def __init__(self, app, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI app.
+        
+        Args:
+            app: The underlying ASGI application
+            ssl_config: SSL configuration dictionary
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.client_cert_required = ssl_config.get("client_cert_required", True)
+        
+        logger.info(f"MTLS ASGI app initialized: client_cert_required={self.client_cert_required}")
+    
+    async def __call__(self, scope: Dict[str, Any], receive, send):
+        """
+        Handle ASGI request with mTLS support.
+        
+        Args:
+            scope: ASGI scope dictionary
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    logger.debug(f"Client certificate extracted: {client_cert.get('subject', {})}")
+                elif self.client_cert_required:
+                    logger.warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+            
+            # Call the underlying application
+            await self.app(scope, receive, send)
+            
+        except Exception as e:
+            logger.error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+    
+    def _extract_client_certificate(self, scope: Dict[str, Any]) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+        
+        Args:
+            scope: ASGI scope dictionary
+            
+        Returns:
+            Certificate dictionary or None if not found
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                logger.debug("No SSL context found in scope")
+                return None
+            
+            # Try to get peer certificate
+            if hasattr(ssl_context, 'getpeercert'):
+                cert_data = ssl_context.getpeercert(binary_form=True)
+                if cert_data:
+                    # Parse certificate
+                    cert = x509.load_der_x509_certificate(cert_data)
+                    return self._cert_to_dict(cert)
+                else:
+                    logger.debug("No certificate data in SSL context")
+                    return None
+            else:
+                logger.debug("SSL context has no getpeercert method")
+                return None
+                
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    
+    def _cert_to_dict(self, cert: x509.Certificate) -> Dict[str, Any]:
+        """
+        Convert x509 certificate to dictionary.
+        
+        Args:
+            cert: x509 certificate object
+            
+        Returns:
+            Certificate dictionary
+        """
+        try:
+            # Extract subject
+            subject = {}
+            for name in cert.subject:
+                subject[name.oid._name] = name.value
+            
+            # Extract issuer
+            issuer = {}
+            for name in cert.issuer:
+                issuer[name.oid._name] = name.value
+            
+            return {
+                "subject": subject,
+                "issuer": issuer,
+                "serial_number": str(cert.serial_number),
+                "not_valid_before": cert.not_valid_before.isoformat(),
+                "not_valid_after": cert.not_valid_after.isoformat(),
+                "version": cert.version.value,
+                "signature_algorithm_oid": cert.signature_algorithm_oid._name,
+                "public_key": {
+                    "key_size": cert.public_key().key_size if hasattr(cert.public_key(), 'key_size') else None,
+                    "public_numbers": str(cert.public_key().public_numbers()) if hasattr(cert.public_key(), 'public_numbers') else None
+                }
+            }
+        except Exception as e:
+            logger.error(f"Failed to convert certificate to dict: {e}")
+            return {"error": str(e)}
+    
+    async def _send_unauthorized_response(self, send):
+        """Send 401 Unauthorized response."""
+        await send({
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"0")
+            ]
+        })
+        await send({
+            "type": "http.response.body",
+            "body": b""
+        })
+    
+    async def _send_error_response(self, send, error_message: str):
+        """Send error response."""
+        body = f'{{"error": "{error_message}"}}'.encode('utf-8')
+        await send({
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", str(len(body)).encode())
+            ]
+        })
+        await send({
+            "type": "http.response.body",
+            "body": body
+        })
+
+
+def create_mtls_asgi_app(app, ssl_config: Dict[str, Any]):
+    """
+    Create MTLS ASGI application wrapper.
+    
+    Args:
+        app: The underlying ASGI application
+        ssl_config: SSL configuration dictionary
+        
+    Returns:
+        MTLS ASGI app wrapper
+    """
+    return MTLSASGIApp(app, ssl_config)

mcp_proxy_adapter/core/protocol_manager.py

@@ -0,0 +1,235 @@
+"""
+Protocol management module for MCP Proxy Adapter.
+
+This module provides functionality for managing and validating protocol configurations,
+including HTTP, HTTPS, and MTLS protocols with their respective ports.
+"""
+
+import ssl
+from typing import Dict, List, Optional, Tuple, Union
+from urllib.parse import urlparse
+
+from mcp_proxy_adapter.config import config
+from mcp_proxy_adapter.core.logging import logger
+
+
+class ProtocolManager:
+    """
+    Manages protocol configurations and validates protocol access.
+    
+    This class handles the validation of allowed protocols and their associated ports,
+    ensuring that only configured protocols are accessible.
+    """
+    
+    def __init__(self):
+        """Initialize the protocol manager."""
+        self._load_config()
+    
+    def _load_config(self):
+        """Load protocol configuration from config."""
+        self.protocols_config = config.get("protocols", {})
+        self.enabled = self.protocols_config.get("enabled", True)
+        self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http"])
+        logger.debug(f"Protocol manager loaded config: enabled={self.enabled}, allowed_protocols={self.allowed_protocols}")
+    
+    def reload_config(self):
+        """Reload protocol configuration."""
+        self._load_config()
+        
+    def is_protocol_allowed(self, protocol: str) -> bool:
+        """
+        Check if a protocol is allowed based on configuration.
+        
+        Args:
+            protocol: Protocol name (http, https, mtls)
+            
+        Returns:
+            True if protocol is allowed, False otherwise
+        """
+        if not self.enabled:
+            logger.debug("Protocol management is disabled, allowing all protocols")
+            return True
+            
+        protocol_lower = protocol.lower()
+        is_allowed = protocol_lower in self.allowed_protocols
+        
+        logger.debug(f"Protocol '{protocol}' allowed: {is_allowed}")
+        return is_allowed
+    
+    def get_protocol_port(self, protocol: str) -> Optional[int]:
+        """
+        Get the configured port for a specific protocol.
+        
+        Args:
+            protocol: Protocol name (http, https, mtls)
+            
+        Returns:
+            Port number if configured, None otherwise
+        """
+        protocol_lower = protocol.lower()
+        protocol_config = self.protocols_config.get(protocol_lower, {})
+        
+        if not protocol_config.get("enabled", False):
+            logger.debug(f"Protocol '{protocol}' is not enabled")
+            return None
+            
+        port = protocol_config.get("port")
+        logger.debug(f"Protocol '{protocol}' port: {port}")
+        return port
+    
+    def get_allowed_protocols(self) -> List[str]:
+        """
+        Get list of all allowed protocols.
+        
+        Returns:
+            List of allowed protocol names
+        """
+        return self.allowed_protocols.copy()
+    
+    def get_protocol_config(self, protocol: str) -> Dict:
+        """
+        Get full configuration for a specific protocol.
+        
+        Args:
+            protocol: Protocol name (http, https, mtls)
+            
+        Returns:
+            Protocol configuration dictionary
+        """
+        protocol_lower = protocol.lower()
+        return self.protocols_config.get(protocol_lower, {}).copy()
+    
+    def validate_url_protocol(self, url: str) -> Tuple[bool, Optional[str]]:
+        """
+        Validate if the URL protocol is allowed.
+        
+        Args:
+            url: URL to validate
+            
+        Returns:
+            Tuple of (is_allowed, error_message)
+        """
+        try:
+            parsed = urlparse(url)
+            protocol = parsed.scheme.lower()
+            
+            if not protocol:
+                return False, "No protocol specified in URL"
+                
+            if not self.is_protocol_allowed(protocol):
+                return False, f"Protocol '{protocol}' is not allowed. Allowed protocols: {self.allowed_protocols}"
+                
+            return True, None
+            
+        except Exception as e:
+            return False, f"Invalid URL format: {str(e)}"
+    
+    def get_ssl_context_for_protocol(self, protocol: str) -> Optional[ssl.SSLContext]:
+        """
+        Get SSL context for HTTPS or MTLS protocol.
+        
+        Args:
+            protocol: Protocol name (https, mtls)
+            
+        Returns:
+            SSL context if protocol requires SSL, None otherwise
+        """
+        if protocol.lower() not in ["https", "mtls"]:
+            return None
+            
+        ssl_config = config.get("ssl", {})
+        
+        if not ssl_config.get("enabled", False):
+            logger.warning(f"SSL required for protocol '{protocol}' but SSL is disabled")
+            return None
+            
+        cert_file = ssl_config.get("cert_file")
+        key_file = ssl_config.get("key_file")
+        
+        if not cert_file or not key_file:
+            logger.warning(f"SSL required for protocol '{protocol}' but certificate files not configured")
+            return None
+            
+        try:
+            from mcp_proxy_adapter.core.ssl_utils import SSLUtils
+            
+            ssl_context = SSLUtils.create_ssl_context(
+                cert_file=cert_file,
+                key_file=key_file,
+                ca_cert=ssl_config.get("ca_cert"),
+                verify_client=protocol.lower() == "mtls" or ssl_config.get("verify_client", False),
+                cipher_suites=ssl_config.get("cipher_suites", []),
+                min_tls_version=ssl_config.get("min_tls_version", "1.2"),
+                max_tls_version=ssl_config.get("max_tls_version", "1.3")
+            )
+            
+            logger.info(f"SSL context created for protocol '{protocol}'")
+            return ssl_context
+            
+        except Exception as e:
+            logger.error(f"Failed to create SSL context for protocol '{protocol}': {e}")
+            return None
+    
+    def get_protocol_info(self) -> Dict[str, Dict]:
+        """
+        Get information about all configured protocols.
+        
+        Returns:
+            Dictionary with protocol information
+        """
+        info = {}
+        
+        for protocol in ["http", "https", "mtls"]:
+            protocol_config = self.get_protocol_config(protocol)
+            info[protocol] = {
+                "enabled": protocol_config.get("enabled", False),
+                "allowed": self.is_protocol_allowed(protocol),
+                "port": protocol_config.get("port"),
+                "requires_ssl": protocol in ["https", "mtls"],
+                "ssl_context_available": self.get_ssl_context_for_protocol(protocol) is not None
+            }
+            
+        return info
+    
+    def validate_protocol_configuration(self) -> List[str]:
+        """
+        Validate the current protocol configuration.
+        
+        Returns:
+            List of validation errors (empty if configuration is valid)
+        """
+        errors = []
+        
+        if not self.enabled:
+            return errors
+            
+        # Check if allowed protocols are configured
+        for protocol in self.allowed_protocols:
+            if protocol not in ["http", "https", "mtls"]:
+                errors.append(f"Unknown protocol '{protocol}' in allowed_protocols")
+                continue
+                
+            protocol_config = self.get_protocol_config(protocol)
+            
+            if not protocol_config.get("enabled", False):
+                errors.append(f"Protocol '{protocol}' is in allowed_protocols but not enabled")
+                continue
+                
+            port = protocol_config.get("port")
+            if not port:
+                errors.append(f"Protocol '{protocol}' is enabled but no port configured")
+                continue
+                
+            # Check SSL requirements
+            if protocol in ["https", "mtls"]:
+                ssl_config = config.get("ssl", {})
+                if not ssl_config.get("enabled", False):
+                    errors.append(f"Protocol '{protocol}' requires SSL but SSL is disabled")
+                elif not ssl_config.get("cert_file") or not ssl_config.get("key_file"):
+                    errors.append(f"Protocol '{protocol}' requires SSL but certificate files not configured")
+        
+        return errors
+
+
+# Global protocol manager instance
+protocol_manager = ProtocolManager()