mcp-proxy-adapter 6.0.0__py3-none-any.whl → 6.0.1__py3-none-any.whl

mcp_proxy_adapter/core/mtls_asgi.py

@@ -0,0 +1,156 @@
+"""
+Custom ASGI application for mTLS support.
+
+This module provides a custom ASGI application that properly handles
+client certificates in mTLS connections.
+"""
+
+import ssl
+import logging
+from typing import Dict, Any, Optional
+from starlette.applications import Starlette
+from starlette.requests import Request
+from starlette.responses import Response
+from starlette.types import ASGIApp, Receive, Send, Scope
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSASGIApp:
+    """
+    Custom ASGI application that properly handles mTLS client certificates.
+    
+    This wrapper ensures that client certificates are properly extracted
+    and made available to the FastAPI application.
+    """
+    
+    def __init__(self, app: ASGIApp, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI application.
+        
+        Args:
+            app: The underlying ASGI application (FastAPI)
+            ssl_config: SSL configuration for mTLS
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.verify_client = ssl_config.get("verify_client", False)
+        self.client_cert_required = ssl_config.get("client_cert_required", False)
+        
+        logger.info(f"MTLS ASGI app initialized: verify_client={self.verify_client}, "
+                   f"client_cert_required={self.client_cert_required}")
+    
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """
+        Handle ASGI request with mTLS support.
+        
+        Args:
+            scope: ASGI scope
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    logger.debug(f"Client certificate extracted: {client_cert.get('subject', {})}")
+                elif self.client_cert_required:
+                    logger.warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+            
+            # Call the underlying application
+            await self.app(scope, receive, send)
+            
+        except Exception as e:
+            logger.error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+    
+    def _extract_client_certificate(self, scope: Scope) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+        
+        Args:
+            scope: ASGI scope
+            
+        Returns:
+            Client certificate data or None
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                return None
+            
+            # Get peer certificate
+            cert = ssl_context.getpeercert()
+            if cert:
+                return cert
+            
+            return None
+            
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    
+    async def _send_unauthorized_response(self, send: Send) -> None:
+        """
+        Send 401 Unauthorized response.
+        
+        Args:
+            send: ASGI send callable
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"163"),
+            ],
+        }
+        await send(response)
+        
+        body = b'{"jsonrpc": "2.0", "error": {"code": -32001, "message": "Unauthorized: Client certificate required"}, "id": null}'
+        await send({"type": "http.response.body", "body": body})
+    
+    async def _send_error_response(self, send: Send, error_message: str) -> None:
+        """
+        Send error response.
+        
+        Args:
+            send: ASGI send callable
+            error_message: Error message
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+            ],
+        }
+        await send(response)
+        
+        body = f'{{"jsonrpc": "2.0", "error": {{"code": -32603, "message": "Internal error: {error_message}"}}, "id": null}}'.encode()
+        await send({"type": "http.response.body", "body": body})
+
+
+def create_mtls_asgi_app(app: ASGIApp, ssl_config: Dict[str, Any]) -> ASGIApp:
+    """
+    Create MTLS-enabled ASGI application.
+    
+    Args:
+        app: The underlying ASGI application (FastAPI)
+        ssl_config: SSL configuration for mTLS
+        
+    Returns:
+        MTLS-enabled ASGI application
+    """
+    if ssl_config.get("mode") == "mtls" or ssl_config.get("verify_client", False):
+        logger.info("Creating MTLS-enabled ASGI application")
+        return MTLSASGIApp(app, ssl_config)
+    else:
+        logger.info("Creating standard ASGI application (no mTLS)")
+        return app

mcp_proxy_adapter/core/mtls_asgi_app.py

@@ -0,0 +1,187 @@
+"""
+MTLS ASGI Application Wrapper
+
+This module provides an ASGI application wrapper that extracts client certificates
+from the SSL context and makes them available to FastAPI middleware.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+Version: 1.0.0
+"""
+
+import logging
+import ssl
+from typing import Dict, Any, Optional
+from cryptography import x509
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSASGIApp:
+    """
+    ASGI application wrapper for mTLS support.
+    
+    Extracts client certificates from SSL context and stores them in ASGI scope
+    for access by FastAPI middleware.
+    """
+    
+    def __init__(self, app, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI app.
+        
+        Args:
+            app: The underlying ASGI application
+            ssl_config: SSL configuration dictionary
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.client_cert_required = ssl_config.get("client_cert_required", True)
+        
+        logger.info(f"MTLS ASGI app initialized: client_cert_required={self.client_cert_required}")
+    
+    async def __call__(self, scope: Dict[str, Any], receive, send):
+        """
+        Handle ASGI request with mTLS support.
+        
+        Args:
+            scope: ASGI scope dictionary
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    logger.debug(f"Client certificate extracted: {client_cert.get('subject', {})}")
+                elif self.client_cert_required:
+                    logger.warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+            
+            # Call the underlying application
+            await self.app(scope, receive, send)
+            
+        except Exception as e:
+            logger.error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+    
+    def _extract_client_certificate(self, scope: Dict[str, Any]) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+        
+        Args:
+            scope: ASGI scope dictionary
+            
+        Returns:
+            Certificate dictionary or None if not found
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                logger.debug("No SSL context found in scope")
+                return None
+            
+            # Try to get peer certificate
+            if hasattr(ssl_context, 'getpeercert'):
+                cert_data = ssl_context.getpeercert(binary_form=True)
+                if cert_data:
+                    # Parse certificate
+                    cert = x509.load_der_x509_certificate(cert_data)
+                    return self._cert_to_dict(cert)
+                else:
+                    logger.debug("No certificate data in SSL context")
+                    return None
+            else:
+                logger.debug("SSL context has no getpeercert method")
+                return None
+                
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    
+    def _cert_to_dict(self, cert: x509.Certificate) -> Dict[str, Any]:
+        """
+        Convert x509 certificate to dictionary.
+        
+        Args:
+            cert: x509 certificate object
+            
+        Returns:
+            Certificate dictionary
+        """
+        try:
+            # Extract subject
+            subject = {}
+            for name in cert.subject:
+                subject[name.oid._name] = name.value
+            
+            # Extract issuer
+            issuer = {}
+            for name in cert.issuer:
+                issuer[name.oid._name] = name.value
+            
+            return {
+                "subject": subject,
+                "issuer": issuer,
+                "serial_number": str(cert.serial_number),
+                "not_valid_before": cert.not_valid_before.isoformat(),
+                "not_valid_after": cert.not_valid_after.isoformat(),
+                "version": cert.version.value,
+                "signature_algorithm_oid": cert.signature_algorithm_oid._name,
+                "public_key": {
+                    "key_size": cert.public_key().key_size if hasattr(cert.public_key(), 'key_size') else None,
+                    "public_numbers": str(cert.public_key().public_numbers()) if hasattr(cert.public_key(), 'public_numbers') else None
+                }
+            }
+        except Exception as e:
+            logger.error(f"Failed to convert certificate to dict: {e}")
+            return {"error": str(e)}
+    
+    async def _send_unauthorized_response(self, send):
+        """Send 401 Unauthorized response."""
+        await send({
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"0")
+            ]
+        })
+        await send({
+            "type": "http.response.body",
+            "body": b""
+        })
+    
+    async def _send_error_response(self, send, error_message: str):
+        """Send error response."""
+        body = f'{{"error": "{error_message}"}}'.encode('utf-8')
+        await send({
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", str(len(body)).encode())
+            ]
+        })
+        await send({
+            "type": "http.response.body",
+            "body": body
+        })
+
+
+def create_mtls_asgi_app(app, ssl_config: Dict[str, Any]):
+    """
+    Create MTLS ASGI application wrapper.
+    
+    Args:
+        app: The underlying ASGI application
+        ssl_config: SSL configuration dictionary
+        
+    Returns:
+        MTLS ASGI app wrapper
+    """
+    return MTLSASGIApp(app, ssl_config)

mcp_proxy_adapter/core/protocol_manager.py

@@ -21,11 +21,106 @@ class ProtocolManager:
     ensuring that only configured protocols are accessible.
     """
     
-    def __init__(self):
-        """Initialize the protocol manager."""
-        self.protocols_config = config.get("protocols", {})
-        self.enabled = self.protocols_config.get("enabled", True)
-        self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http"])
+    def __init__(self, app_config: Optional[Dict] = None):
+        """
+        Initialize the protocol manager.
+        
+        Args:
+            app_config: Application configuration dictionary (optional)
+        """
+        self.app_config = app_config
+        self._load_config()
+    
+    def _load_config(self):
+        """Load protocol configuration from config."""
+        # Use provided config or fallback to global config; normalize types
+        current_config = self.app_config if self.app_config is not None else config.get_all()
+        logger.debug(f"ProtocolManager._load_config - current_config type: {type(current_config)}")
+
+        if not hasattr(current_config, 'get'):
+            # Not a dict-like config, fallback to global
+            logger.debug(f"ProtocolManager._load_config - current_config is not dict-like, falling back to global config")
+            current_config = config.get_all()
+
+        logger.debug(f"ProtocolManager._load_config - final current_config type: {type(current_config)}")
+        if hasattr(current_config, 'get'):
+            logger.debug(f"ProtocolManager._load_config - current_config keys: {list(current_config.keys()) if hasattr(current_config, 'keys') else 'no keys'}")
+
+        # Get protocols configuration
+        logger.debug(f"ProtocolManager._load_config - before getting protocols")
+        try:
+            self.protocols_config = current_config.get("protocols", {})
+            logger.debug(f"ProtocolManager._load_config - protocols_config type: {type(self.protocols_config)}")
+            if hasattr(self.protocols_config, 'get'):
+                logger.debug(f"ProtocolManager._load_config - protocols_config is dict-like")
+            else:
+                logger.debug(f"ProtocolManager._load_config - protocols_config is NOT dict-like: {repr(self.protocols_config)}")
+        except Exception as e:
+            logger.debug(f"ProtocolManager._load_config - ERROR getting protocols: {e}")
+            self.protocols_config = {}
+
+        self.enabled = self.protocols_config.get("enabled", True) if hasattr(self.protocols_config, 'get') else True
+        
+        # Get SSL configuration to determine allowed protocols
+        ssl_enabled = self._is_ssl_enabled(current_config)
+        
+        # Set allowed protocols based on SSL configuration
+        if ssl_enabled:
+            # If SSL is enabled, allow both HTTP and HTTPS
+            self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http", "https"])
+            # Ensure HTTPS is in allowed protocols if SSL is enabled
+            if "https" not in self.allowed_protocols:
+                self.allowed_protocols.append("https")
+        else:
+            # If SSL is disabled, only allow HTTP
+            self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http"])
+            # Remove HTTPS from allowed protocols if SSL is disabled
+            if "https" in self.allowed_protocols:
+                self.allowed_protocols.remove("https")
+        
+        logger.debug(f"Protocol manager loaded config: enabled={self.enabled}, allowed_protocols={self.allowed_protocols}, ssl_enabled={ssl_enabled}")
+    
+    def _is_ssl_enabled(self, current_config: Dict) -> bool:
+        """
+        Check if SSL is enabled in configuration.
+        
+        Args:
+            current_config: Current configuration dictionary
+            
+        Returns:
+            True if SSL is enabled, False otherwise
+        """
+        # Try security framework SSL config first
+        security_config = current_config.get("security", {})
+        ssl_config = security_config.get("ssl", {})
+        
+        if ssl_config.get("enabled", False):
+            logger.debug("SSL enabled via security.ssl configuration")
+            return True
+        
+        # Fallback to legacy SSL config
+        legacy_ssl_config = current_config.get("ssl", {})
+        if legacy_ssl_config.get("enabled", False):
+            logger.debug("SSL enabled via legacy ssl configuration")
+            return True
+        
+        logger.debug("SSL is disabled in configuration")
+        return False
+    
+    def update_config(self, new_config: Dict):
+        """
+        Update configuration and reload protocol settings.
+        
+        Args:
+            new_config: New configuration dictionary
+        """
+        self.app_config = new_config
+        self._load_config()
+        logger.info(f"Protocol manager configuration updated: allowed_protocols={self.allowed_protocols}")
+    
+    def reload_config(self):
+        """Reload protocol configuration from global config."""
+        self._load_config()
         
     def is_protocol_allowed(self, protocol: str) -> bool:
         """
@@ -88,7 +183,14 @@ class ProtocolManager:
             Protocol configuration dictionary
         """
         protocol_lower = protocol.lower()
-        return self.protocols_config.get(protocol_lower, {}).copy()
+        cfg = self.protocols_config.get(protocol_lower, {})
+        # Ensure dict type
+        if isinstance(cfg, dict):
+            try:
+                return cfg.copy()
+            except Exception:
+                return {}
+        return {}
     
     def validate_url_protocol(self, url: str) -> Tuple[bool, Optional[str]]:
         """
@@ -128,7 +230,11 @@ class ProtocolManager:
         if protocol.lower() not in ["https", "mtls"]:
             return None
             
-        ssl_config = config.get("ssl", {})
+        # Use provided config or fallback to global config
+        current_config = self.app_config if self.app_config is not None else config.get_all()
+        
+        # Get SSL configuration
+        ssl_config = self._get_ssl_config(current_config)
         
         if not ssl_config.get("enabled", False):
             logger.warning(f"SSL required for protocol '{protocol}' but SSL is disabled")
@@ -161,6 +267,33 @@ class ProtocolManager:
             logger.error(f"Failed to create SSL context for protocol '{protocol}': {e}")
             return None
     
+    def _get_ssl_config(self, current_config: Dict) -> Dict:
+        """
+        Get SSL configuration from config.
+        
+        Args:
+            current_config: Current configuration dictionary
+            
+        Returns:
+            SSL configuration dictionary
+        """
+        # Try security framework SSL config first
+        security_config = current_config.get("security", {})
+        ssl_config = security_config.get("ssl", {})
+        
+        if ssl_config.get("enabled", False):
+            logger.debug("Using security.ssl configuration")
+            return ssl_config
+        
+        # Fallback to legacy SSL config
+        legacy_ssl_config = current_config.get("ssl", {})
+        if legacy_ssl_config.get("enabled", False):
+            logger.debug("Using legacy ssl configuration")
+            return legacy_ssl_config
+        
+        # Return empty config if SSL is disabled
+        return {"enabled": False}
+    
     def get_protocol_info(self) -> Dict[str, Dict]:
         """
         Get information about all configured protocols.
@@ -213,7 +346,10 @@ class ProtocolManager:
                 
             # Check SSL requirements
             if protocol in ["https", "mtls"]:
-                ssl_config = config.get("ssl", {})
+                # Use provided config or fallback to global config
+                current_config = self.app_config if self.app_config is not None else config.get_all()
+                ssl_config = self._get_ssl_config(current_config)
+                
                 if not ssl_config.get("enabled", False):
                     errors.append(f"Protocol '{protocol}' requires SSL but SSL is disabled")
                 elif not ssl_config.get("cert_file") or not ssl_config.get("key_file"):
@@ -222,5 +358,28 @@ class ProtocolManager:
         return errors
 
 
-# Global protocol manager instance
-protocol_manager = ProtocolManager() 
+# Global protocol manager instance - will be updated with config when needed
+protocol_manager = None
+
+def get_protocol_manager(app_config: Optional[Dict] = None) -> ProtocolManager:
+    """
+    Get protocol manager instance with current configuration.
+    
+    Args:
+        app_config: Application configuration dictionary (optional)
+        
+    Returns:
+        ProtocolManager instance
+    """
+    global protocol_manager
+    
+    # If no app_config provided, use global config
+    if app_config is None:
+        app_config = config.get_all()
+    
+    # Create new instance if none exists or config changed
+    if protocol_manager is None or protocol_manager.app_config != app_config:
+        protocol_manager = ProtocolManager(app_config)
+        logger.info("Protocol manager created with new configuration")
+    
+    return protocol_manager