mcp-proxy-adapter 4.1.1__py3-none-any.whl → 6.1.0__py3-none-any.whl

mcp_proxy_adapter/examples/create_certificates_simple.py

@@ -0,0 +1,307 @@
+#!/usr/bin/env python3
+"""
+Simple Certificate Creation Script
+
+This script creates basic certificates for testing using OpenSSL directly.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+
+class SimpleCertificateCreator:
+    """Create certificates using OpenSSL directly."""
+    
+    def __init__(self):
+        self.project_root = Path(__file__).parent.parent.parent
+        self.certs_dir = self.project_root / "mcp_proxy_adapter" / "examples" / "certs"
+        self.keys_dir = self.project_root / "mcp_proxy_adapter" / "examples" / "keys"
+        
+        # Create directories
+        self.certs_dir.mkdir(parents=True, exist_ok=True)
+        self.keys_dir.mkdir(parents=True, exist_ok=True)
+    
+    def run_command(self, cmd: list, description: str) -> bool:
+        """Run a command and handle errors."""
+        try:
+            print(f"🔧 {description}...")
+            result = subprocess.run(
+                cmd,
+                cwd=self.project_root,
+                capture_output=True,
+                text=True,
+                check=True
+            )
+            print(f"✅ {description} completed successfully")
+            return True
+        except subprocess.CalledProcessError as e:
+            print(f"❌ {description} failed:")
+            print(f"   Command: {' '.join(cmd)}")
+            print(f"   Error: {e.stderr}")
+            return False
+        except Exception as e:
+            print(f"❌ {description} failed: {e}")
+            return False
+    
+    def create_ca_certificate(self) -> bool:
+        """Create CA certificate using OpenSSL."""
+        ca_cert_path = self.certs_dir / "ca_cert.pem"
+        ca_key_path = self.keys_dir / "ca_key.pem"
+        
+        if ca_cert_path.exists() and ca_key_path.exists():
+            print(f"ℹ️ CA certificate already exists: {ca_cert_path}")
+            return True
+        
+        # Create CA private key
+        key_cmd = [
+            "openssl", "genrsa", "-out", str(ca_key_path), "2048"
+        ]
+        if not self.run_command(key_cmd, "Creating CA private key"):
+            return False
+        
+        # Create CA certificate
+        cert_cmd = [
+            "openssl", "req", "-new", "-x509", "-days", "3650",
+            "-key", str(ca_key_path),
+            "-out", str(ca_cert_path),
+            "-subj", "/C=US/ST=Test State/L=Test City/O=Test Organization/CN=MCP Proxy Adapter Test CA"
+        ]
+        return self.run_command(cert_cmd, "Creating CA certificate")
+    
+    def create_server_certificate(self) -> bool:
+        """Create server certificate using OpenSSL."""
+        server_cert_path = self.certs_dir / "server_cert.pem"
+        server_key_path = self.certs_dir / "server_key.pem"
+        
+        if server_cert_path.exists() and server_key_path.exists():
+            print(f"ℹ️ Server certificate already exists: {server_cert_path}")
+            return True
+        
+        # Create server private key
+        key_cmd = [
+            "openssl", "genrsa", "-out", str(server_key_path), "2048"
+        ]
+        if not self.run_command(key_cmd, "Creating server private key"):
+            return False
+        
+        # Create server certificate signing request
+        csr_path = self.certs_dir / "server.csr"
+        csr_cmd = [
+            "openssl", "req", "-new",
+            "-key", str(server_key_path),
+            "-out", str(csr_path),
+            "-subj", "/C=US/ST=Test State/L=Test City/O=Test Organization/CN=localhost"
+        ]
+        if not self.run_command(csr_cmd, "Creating server CSR"):
+            return False
+        
+        # Create server certificate
+        cert_cmd = [
+            "openssl", "x509", "-req", "-days", "730",
+            "-in", str(csr_path),
+            "-CA", str(self.certs_dir / "ca_cert.pem"),
+            "-CAkey", str(self.keys_dir / "ca_key.pem"),
+            "-CAcreateserial",
+            "-out", str(server_cert_path)
+        ]
+        success = self.run_command(cert_cmd, "Creating server certificate")
+        
+        # Clean up CSR
+        if csr_path.exists():
+            csr_path.unlink()
+        
+        return success
+    
+    def create_client_certificate(self, name: str, common_name: str) -> bool:
+        """Create client certificate using OpenSSL."""
+        cert_path = self.certs_dir / f"{name}_cert.pem"
+        key_path = self.certs_dir / f"{name}_key.pem"
+        
+        if cert_path.exists() and key_path.exists():
+            print(f"ℹ️ Client certificate {name} already exists: {cert_path}")
+            return True
+        
+        # Create client private key
+        key_cmd = [
+            "openssl", "genrsa", "-out", str(key_path), "2048"
+        ]
+        if not self.run_command(key_cmd, f"Creating {name} private key"):
+            return False
+        
+        # Create client certificate signing request
+        csr_path = self.certs_dir / f"{name}.csr"
+        csr_cmd = [
+            "openssl", "req", "-new",
+            "-key", str(key_path),
+            "-out", str(csr_path),
+            "-subj", f"/C=US/ST=Test State/L=Test City/O=Test Organization/CN={common_name}"
+        ]
+        if not self.run_command(csr_cmd, f"Creating {name} CSR"):
+            return False
+        
+        # Create client certificate
+        cert_cmd = [
+            "openssl", "x509", "-req", "-days", "730",
+            "-in", str(csr_path),
+            "-CA", str(self.certs_dir / "ca_cert.pem"),
+            "-CAkey", str(self.keys_dir / "ca_key.pem"),
+            "-CAcreateserial",
+            "-out", str(cert_path)
+        ]
+        success = self.run_command(cert_cmd, f"Creating {name} certificate")
+        
+        # Clean up CSR
+        if csr_path.exists():
+            csr_path.unlink()
+        
+        return success
+    
+    def create_legacy_certificates(self) -> bool:
+        """Create legacy certificate files for compatibility."""
+        legacy_files = [
+            ("client.crt", "client.key", "client"),
+            ("client_admin.crt", "client_admin.key", "admin"),
+            ("admin.crt", "admin.key", "admin"),
+            ("user.crt", "user.key", "user"),
+            ("readonly.crt", "readonly.key", "readonly")
+        ]
+        
+        success = True
+        for cert_file, key_file, source_name in legacy_files:
+            cert_path = self.certs_dir / cert_file
+            key_path = self.certs_dir / key_file
+            
+            if not cert_path.exists() or not key_path.exists():
+                source_cert = self.certs_dir / f"{source_name}_cert.pem"
+                source_key = self.certs_dir / f"{source_name}_key.pem"
+                
+                if source_cert.exists() and source_key.exists():
+                    self.run_command(["cp", str(source_cert), str(cert_path)], f"Creating {cert_file}")
+                    self.run_command(["cp", str(source_key), str(key_path)], f"Creating {key_file}")
+                else:
+                    print(f"⚠️ Source certificate {source_name} not found for {cert_file}")
+                    success = False
+        
+        return success
+    
+    def validate_certificates(self) -> bool:
+        """Validate all created certificates."""
+        print("\n🔍 Validating certificates...")
+        
+        cert_files = [
+            "ca_cert.pem",
+            "server_cert.pem",
+            "admin_cert.pem",
+            "user_cert.pem",
+            "readonly_cert.pem",
+            "guest_cert.pem",
+            "proxy_cert.pem"
+        ]
+        
+        success = True
+        for cert_file in cert_files:
+            cert_path = self.certs_dir / cert_file
+            if cert_path.exists():
+                try:
+                    result = subprocess.run(
+                        ["openssl", "x509", "-in", str(cert_path), "-text", "-noout"],
+                        capture_output=True,
+                        text=True,
+                        check=True
+                    )
+                    print(f"✅ {cert_file}: Valid")
+                except subprocess.CalledProcessError:
+                    print(f"❌ {cert_file}: Invalid")
+                    success = False
+            else:
+                print(f"⚠️ {cert_file}: Not found")
+        
+        return success
+    
+    def create_all(self) -> bool:
+        """Create all certificates."""
+        print("🔐 Creating All Certificates for Security Testing")
+        print("=" * 60)
+        
+        success = True
+        
+        # 1. Create CA certificate
+        if not self.create_ca_certificate():
+            success = False
+            print("❌ Cannot continue without CA certificate")
+            return False
+        
+        # 2. Create server certificate
+        if not self.create_server_certificate():
+            success = False
+        
+        # 3. Create client certificates
+        print("\n👥 Creating client certificates...")
+        client_certs = [
+            ("admin", "admin-client"),
+            ("user", "user-client"),
+            ("readonly", "readonly-client"),
+            ("guest", "guest-client"),
+            ("proxy", "proxy-client")
+        ]
+        
+        for name, common_name in client_certs:
+            if not self.create_client_certificate(name, common_name):
+                success = False
+        
+        # 4. Create legacy certificates
+        print("\n🔄 Creating legacy certificates...")
+        if not self.create_legacy_certificates():
+            success = False
+        
+        # 5. Validate certificates
+        if not self.validate_certificates():
+            success = False
+        
+        # Print summary
+        print("\n" + "=" * 60)
+        print("📊 CERTIFICATE CREATION SUMMARY")
+        print("=" * 60)
+        
+        if success:
+            print("✅ All certificates created successfully!")
+            print(f"📁 Certificates directory: {self.certs_dir}")
+            print(f"🔑 Keys directory: {self.keys_dir}")
+            print("\n📋 Created certificates:")
+            
+            cert_files = list(self.certs_dir.glob("*.pem")) + list(self.certs_dir.glob("*.crt"))
+            for cert_file in sorted(cert_files):
+                print(f"   - {cert_file.name}")
+            
+            key_files = list(self.keys_dir.glob("*.pem")) + list(self.keys_dir.glob("*.key"))
+            for key_file in sorted(key_files):
+                print(f"   - {key_file.name}")
+        else:
+            print("❌ Some certificates failed to create")
+            print("Check the error messages above")
+        
+        return success
+
+
+def main():
+    """Main function."""
+    creator = SimpleCertificateCreator()
+    
+    try:
+        success = creator.create_all()
+        sys.exit(0 if success else 1)
+    except KeyboardInterrupt:
+        print("\n⚠️ Certificate creation interrupted by user")
+        sys.exit(1)
+    except Exception as e:
+        print(f"\n❌ Certificate creation failed: {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

mcp_proxy_adapter/examples/debug_request_state.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+"""
+Debug Request State - Проверка request.state
+
+Этот скрипт проверяет, как middleware устанавливает информацию о пользователе в request.state.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import asyncio
+import json
+import sys
+from pathlib import Path
+
+# Add project root to path
+project_root = Path(__file__).parent.parent.parent
+sys.path.insert(0, str(project_root))
+
+from fastapi import FastAPI, Request
+from fastapi.testclient import TestClient
+from mcp_proxy_adapter.api.app import create_app
+
+
+async def debug_request_state():
+    """Debug request state handling."""
+    
+    print("🔍 ОТЛАДКА REQUEST.STATE")
+    print("=" * 50)
+    
+    # Create test app with proper configuration
+    config_path = project_root / "mcp_proxy_adapter" / "examples" / "server_configs" / "config_http_token.json"
+    
+    with open(config_path) as f:
+        config = json.load(f)
+    
+    # Override global config for testing
+    import mcp_proxy_adapter.config
+    mcp_proxy_adapter.config.config = config
+    
+    app = create_app(config)
+    client = TestClient(app)
+    
+    print("📋 1. ТЕСТИРОВАНИЕ БЕЗ АУТЕНТИФИКАЦИИ")
+    print("-" * 30)
+    
+    # Test without authentication
+    response = client.post("/cmd", json={
+        "jsonrpc": "2.0",
+        "method": "echo",
+        "params": {"message": "test"},
+        "id": 1
+    })
+    
+    print(f"Status: {response.status_code}")
+    print(f"Response: {response.json()}")
+    
+    print("\n📋 2. ТЕСТИРОВАНИЕ С ADMIN ТОКЕНОМ")
+    print("-" * 30)
+    
+    # Test with admin token
+    response = client.post("/cmd", 
+        json={
+            "jsonrpc": "2.0",
+            "method": "echo",
+            "params": {"message": "test"},
+            "id": 1
+        },
+        headers={"X-API-Key": "test-token-123"}
+    )
+    
+    print(f"Status: {response.status_code}")
+    print(f"Response: {response.json()}")
+    
+    print("\n📋 3. ТЕСТИРОВАНИЕ С USER ТОКЕНОМ")
+    print("-" * 30)
+    
+    # Test with user token
+    response = client.post("/cmd", 
+        json={
+            "jsonrpc": "2.0",
+            "method": "echo",
+            "params": {"message": "test"},
+            "id": 1
+        },
+        headers={"X-API-Key": "user-token-456"}
+    )
+    
+    print(f"Status: {response.status_code}")
+    print(f"Response: {response.json()}")
+    
+    print("\n📋 4. ТЕСТИРОВАНИЕ С READONLY ТОКЕНОМ")
+    print("-" * 30)
+    
+    # Test with readonly token
+    response = client.post("/cmd", 
+        json={
+            "jsonrpc": "2.0",
+            "method": "echo",
+            "params": {"message": "test"},
+            "id": 1
+        },
+        headers={"X-API-Key": "readonly-token-123"}
+    )
+    
+    print(f"Status: {response.status_code}")
+    print(f"Response: {response.json()}")
+    
+    print("\n📋 5. ТЕСТИРОВАНИЕ ROLE_TEST КОМАНДЫ")
+    print("-" * 30)
+    
+    # Test role_test command with readonly token
+    response = client.post("/cmd", 
+        json={
+            "jsonrpc": "2.0",
+            "method": "role_test",
+            "params": {"action": "write"},
+            "id": 1
+        },
+        headers={"X-API-Key": "readonly-token-123"}
+    )
+    
+    print(f"Status: {response.status_code}")
+    print(f"Response: {response.json()}")
+    
+    print("\n📋 6. АНАЛИЗ ПРОБЛЕМЫ")
+    print("-" * 30)
+    
+    print("🔍 ПРОБЛЕМА: Readonly роль получает доступ к командам")
+    print("\n📋 ВОЗМОЖНЫЕ ПРИЧИНЫ:")
+    print("1. Framework middleware не устанавливает user info в request.state")
+    print("2. Нет проверки прав на уровне middleware")
+    print("3. Команды не проверяют права доступа")
+    print("4. Интеграция между middleware и командами не работает")
+    
+    print("\n📋 РЕКОМЕНДАЦИИ:")
+    print("1. Добавить CommandPermissionMiddleware")
+    print("2. Убедиться, что framework middleware устанавливает user info")
+    print("3. Добавить проверку прав в команды")
+    print("4. Проверить интеграцию middleware")
+
+
+if __name__ == "__main__":
+    asyncio.run(debug_request_state())

mcp_proxy_adapter/examples/debug_role_chain.py

@@ -0,0 +1,205 @@
+#!/usr/bin/env python3
+"""
+Debug Role Chain - Анализ цепочки блокировки ролей
+
+Этот скрипт анализирует всю цепочку от аутентификации до блокировки доступа.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import asyncio
+import json
+import sys
+from pathlib import Path
+
+# Add project root to path
+project_root = Path(__file__).parent.parent.parent
+sys.path.insert(0, str(project_root))
+
+from mcp_security_framework import SecurityManager, AuthManager, PermissionManager
+from mcp_security_framework.schemas.config import SecurityConfig, AuthConfig, PermissionConfig
+
+
+async def debug_role_chain():
+    """Debug the complete role chain from authentication to blocking."""
+    
+    print("🔍 АНАЛИЗ ЦЕПОЧКИ БЛОКИРОВКИ РОЛЕЙ")
+    print("=" * 60)
+    
+    # Load configuration
+    config_path = project_root / "mcp_proxy_adapter" / "examples" / "server_configs" / "config_http_token.json"
+    
+    with open(config_path) as f:
+        config = json.load(f)
+    
+    security_config = config.get("security", {})
+    
+    print("📋 1. КОНФИГУРАЦИЯ API КЛЮЧЕЙ")
+    print("-" * 30)
+    api_keys = security_config.get("auth", {}).get("api_keys", {})
+    for key, value in api_keys.items():
+        print(f"  {key}: {value}")
+    
+    print("\n📋 2. КОНФИГУРАЦИЯ РОЛЕЙ")
+    print("-" * 30)
+    roles_config = security_config.get("permissions", {}).get("roles", {})
+    for role, permissions in roles_config.items():
+        print(f"  {role}: {permissions}")
+    
+    print("\n📋 3. СОЗДАНИЕ КОМПОНЕНТОВ БЕЗОПАСНОСТИ")
+    print("-" * 30)
+    
+    # Create permission config
+    perm_config = PermissionConfig(
+        roles_file=str(project_root / "mcp_proxy_adapter" / "examples" / "server_configs" / "roles.json"),
+        default_role="guest",
+        admin_role="admin",
+        role_hierarchy=security_config.get("permissions", {}).get("role_hierarchy", {}),
+        permission_cache_enabled=True,
+        permission_cache_ttl=300,
+        wildcard_permissions=False,
+        strict_mode=True,
+        roles=roles_config
+    )
+    
+    # Create auth config
+    auth_config = AuthConfig(
+        enabled=security_config.get("auth", {}).get("enabled", True),
+        methods=security_config.get("auth", {}).get("methods", ["api_key"]),
+        api_keys=api_keys,
+        user_roles=security_config.get("auth", {}).get("user_roles", {}),
+        jwt_secret=security_config.get("auth", {}).get("jwt_secret"),
+        jwt_algorithm=security_config.get("auth", {}).get("jwt_algorithm", "HS256"),
+        jwt_expiry_hours=security_config.get("auth", {}).get("jwt_expiry_hours", 24),
+        certificate_auth=security_config.get("auth", {}).get("certificate_auth", False),
+        certificate_roles_oid=security_config.get("auth", {}).get("certificate_roles_oid"),
+        certificate_permissions_oid=security_config.get("auth", {}).get("certificate_permissions_oid"),
+        basic_auth=security_config.get("auth", {}).get("basic_auth", False),
+        oauth2_config=security_config.get("auth", {}).get("oauth2_config"),
+        public_paths=security_config.get("auth", {}).get("public_paths", [])
+    )
+    
+    # Create security config
+    security_config_obj = SecurityConfig(
+        auth=auth_config,
+        permissions=perm_config
+    )
+    
+    print("✅ Конфигурации созданы")
+    
+    print("\n📋 4. ИНИЦИАЛИЗАЦИЯ МЕНЕДЖЕРОВ")
+    print("-" * 30)
+    
+    # Initialize managers
+    permission_manager = PermissionManager(perm_config)
+    auth_manager = AuthManager(auth_config, permission_manager)
+    security_manager = SecurityManager(security_config_obj)
+    
+    print("✅ Менеджеры инициализированы")
+    
+    print("\n📋 5. ТЕСТИРОВАНИЕ АУТЕНТИФИКАЦИИ")
+    print("-" * 30)
+    
+    # Test authentication with different tokens
+    test_tokens = {
+        "admin": "test-token-123",
+        "user": "user-token-456", 
+        "readonly": "readonly-token-123",
+        "invalid": "invalid-token-999"
+    }
+    
+    auth_results = {}
+    
+    for role, token in test_tokens.items():
+        print(f"\n🔐 Тестирование токена для роли '{role}': {token}")
+        
+        try:
+            result = auth_manager.authenticate_api_key(token)
+            auth_results[role] = result
+            
+            print(f"  ✅ Аутентификация: {'УСПЕШНА' if result.is_valid else 'НЕУДАЧНА'}")
+            if result.is_valid:
+                print(f"  👤 Пользователь: {result.username}")
+                print(f"  🏷️ Роли: {result.roles}")
+                print(f"  🔑 Метод: {result.auth_method}")
+            else:
+                print(f"  ❌ Ошибка: {result.error_message}")
+                
+        except Exception as e:
+            print(f"  ❌ Исключение: {e}")
+            auth_results[role] = None
+    
+    print("\n📋 6. ТЕСТИРОВАНИЕ ПРАВ ДОСТУПА")
+    print("-" * 30)
+    
+    # Test permissions for different actions
+    test_actions = ["read", "write", "manage", "delete"]
+    
+    for role, auth_result in auth_results.items():
+        if auth_result and auth_result.is_valid:
+            print(f"\n🔒 Тестирование прав для роли '{role}' (роли: {auth_result.roles})")
+            
+            for action in test_actions:
+                try:
+                    # Check permissions using permission manager
+                    validation_result = permission_manager.validate_access(
+                        auth_result.roles, 
+                        [action]
+                    )
+                    
+                    status = "✅ РАЗРЕШЕНО" if validation_result.is_valid else "❌ ЗАБЛОКИРОВАНО"
+                    print(f"  {action}: {status}")
+                    
+                    if not validation_result.is_valid:
+                        print(f"    📝 Причина: {validation_result.error_message}")
+                        print(f"    🎯 Эффективные права: {validation_result.effective_permissions}")
+                        print(f"    ❌ Отсутствующие права: {validation_result.missing_permissions}")
+                        
+                except Exception as e:
+                    print(f"  {action}: ❌ ОШИБКА - {e}")
+    
+    print("\n📋 7. ТЕСТИРОВАНИЕ ПОЛНОЙ ЦЕПОЧКИ")
+    print("-" * 30)
+    
+    # Test complete request validation
+    for role, token in test_tokens.items():
+        print(f"\n🔄 Полная цепочка для роли '{role}'")
+        
+        request_data = {
+            "api_key": token,
+            "required_permissions": ["write"],
+            "client_ip": "127.0.0.1"
+        }
+        
+        try:
+            result = security_manager.validate_request(request_data)
+            
+            status = "✅ УСПЕШНО" if result.is_valid else "❌ ЗАБЛОКИРОВАНО"
+            print(f"  Результат: {status}")
+            
+            if not result.is_valid:
+                print(f"  📝 Причина: {result.error_message}")
+                
+        except Exception as e:
+            print(f"  ❌ ОШИБКА: {e}")
+    
+    print("\n📋 8. АНАЛИЗ ПРОБЛЕМЫ")
+    print("-" * 30)
+    
+    print("🔍 ПРОБЛЕМА: Readonly роль получает доступ к write операциям")
+    print("\n📋 ВОЗМОЖНЫЕ ПРИЧИНЫ:")
+    print("1. Middleware не передает информацию о пользователе в request.state")
+    print("2. Framework middleware не блокирует доступ на уровне middleware")
+    print("3. Команда role_test не получает правильный контекст пользователя")
+    print("4. Интеграция между middleware и командами не работает")
+    
+    print("\n📋 РЕКОМЕНДАЦИИ:")
+    print("1. Проверить, как framework middleware устанавливает user info")
+    print("2. Добавить проверку прав на уровне middleware")
+    print("3. Убедиться, что request.state содержит user info")
+    print("4. Проверить интеграцию между middleware и командами")
+
+
+if __name__ == "__main__":
+    asyncio.run(debug_role_chain())