mcp-proxy-adapter 6.0.0__py3-none-any.whl → 6.0.1__py3-none-any.whl

mcp_proxy_adapter/api/middleware/command_permission_middleware.py

@@ -0,0 +1,148 @@
+"""
+Command Permission Middleware
+
+This middleware checks permissions for specific commands based on user roles.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import json
+import logging
+from typing import Dict, Any, Optional, Callable, Awaitable
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from mcp_proxy_adapter.core.logging import logger
+
+
+class CommandPermissionMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware for checking command permissions.
+    
+    This middleware checks if the authenticated user has the required
+    permissions to execute specific commands.
+    """
+    
+    def __init__(self, app, config: Dict[str, Any]):
+        """
+        Initialize command permission middleware.
+        
+        Args:
+            app: FastAPI application
+            config: Configuration dictionary
+        """
+        super().__init__(app)
+        self.config = config
+        
+        # Define command permissions
+        self.command_permissions = {
+            "echo": ["read"],
+            "health": ["read"],
+            "role_test": ["read"],
+            "config": ["read"],
+            "help": ["read"],
+            # Add more commands as needed
+        }
+        
+        logger.info("Command permission middleware initialized")
+    
+    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Process request and check command permissions.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        # Only check permissions for /cmd endpoint
+        if request.url.path != "/cmd":
+            return await call_next(request)
+        
+        try:
+            # Get request body
+            body = await request.body()
+            if not body:
+                return await call_next(request)
+            
+            # Parse JSON-RPC request
+            try:
+                data = json.loads(body)
+            except json.JSONDecodeError:
+                return await call_next(request)
+            
+            # Extract method (command name)
+            method = data.get("method")
+            if not method:
+                return await call_next(request)
+            
+            # Check if method requires permissions
+            if method not in self.command_permissions:
+                return await call_next(request)
+            
+            required_permissions = self.command_permissions[method]
+            
+            # Get user info from request state
+            user_info = getattr(request.state, "user", None)
+            if not user_info:
+                logger.warning(f"No user info found for command {method}")
+                return await call_next(request)
+            
+            user_roles = user_info.get("roles", [])
+            user_permissions = user_info.get("permissions", [])
+            
+            logger.debug(f"Checking permissions for {method}: user_roles={user_roles}, required={required_permissions}")
+            
+            # Check if user has required permissions
+            has_permission = self._check_permissions(user_roles, user_permissions, required_permissions)
+            
+            if not has_permission:
+                logger.warning(f"Permission denied for {method}: user_roles={user_roles}, required={required_permissions}")
+                
+                # Return permission denied response
+                error_response = {
+                    "error": {
+                        "code": 403,
+                        "message": f"Permission denied: {method} requires {required_permissions}",
+                        "type": "permission_denied"
+                    }
+                }
+                
+                return Response(
+                    content=json.dumps(error_response),
+                    status_code=403,
+                    media_type="application/json"
+                )
+            
+            logger.debug(f"Permission granted for {method}")
+            return await call_next(request)
+            
+        except Exception as e:
+            logger.error(f"Error in command permission middleware: {e}")
+            return await call_next(request)
+    
+    def _check_permissions(self, user_roles: list, user_permissions: list, required_permissions: list) -> bool:
+        """
+        Check if user has required permissions.
+        
+        Args:
+            user_roles: User roles
+            user_permissions: User permissions
+            required_permissions: Required permissions
+            
+        Returns:
+            True if user has required permissions
+        """
+        # Admin has all permissions
+        if "admin" in user_roles or "*" in user_permissions:
+            return True
+        
+        # Check if user has all required permissions
+        for required in required_permissions:
+            if required not in user_permissions:
+                return False
+        
+        return True

mcp_proxy_adapter/api/middleware/factory.py

@@ -13,9 +13,10 @@ from fastapi import FastAPI
 from mcp_proxy_adapter.core.logging import logger
 from mcp_proxy_adapter.core.security_factory import SecurityFactory
 from .base import BaseMiddleware
-from .security import SecurityMiddleware
+from .unified_security import UnifiedSecurityMiddleware
 from .error_handling import ErrorHandlingMiddleware
 from .logging import LoggingMiddleware
+from .user_info_middleware import UserInfoMiddleware
 
 
 class MiddlewareFactory:
@@ -40,12 +41,12 @@ class MiddlewareFactory:
         
         logger.info("Middleware factory initialized")
     
-    def create_security_middleware(self) -> Optional[SecurityMiddleware]:
+    def create_security_middleware(self) -> Optional[UnifiedSecurityMiddleware]:
         """
-        Create security middleware.
+        Create unified security middleware.
         
         Returns:
-            SecurityMiddleware instance or None if creation failed
+            UnifiedSecurityMiddleware instance or None if creation failed
         """
         try:
             security_config = self.config.get("security", {})
@@ -54,14 +55,14 @@ class MiddlewareFactory:
                 logger.info("Security middleware disabled by configuration")
                 return None
             
-            middleware = SecurityMiddleware(self.app, self.config)
+            middleware = UnifiedSecurityMiddleware(self.app, self.config)
             self.middleware_stack.append(middleware)
             
-            logger.info("Security middleware created successfully")
+            logger.info("Unified security middleware created successfully")
             return middleware
             
         except Exception as e:
-            logger.error(f"Failed to create security middleware: {e}")
+            logger.error(f"Failed to create unified security middleware: {e}")
             return None
     
     def create_error_handling_middleware(self) -> Optional[ErrorHandlingMiddleware]:
@@ -106,6 +107,24 @@ class MiddlewareFactory:
             logger.error(f"Failed to create logging middleware: {e}")
             return None
     
+    def create_user_info_middleware(self) -> Optional[UserInfoMiddleware]:
+        """
+        Create user info middleware.
+        
+        Returns:
+            UserInfoMiddleware instance or None if creation failed
+        """
+        try:
+            middleware = UserInfoMiddleware(self.app, self.config)
+            self.middleware_stack.append(middleware)
+            
+            logger.info("User info middleware created successfully")
+            return middleware
+            
+        except Exception as e:
+            logger.error(f"Failed to create user info middleware: {e}")
+            return None
+    
 
     
     def create_all_middleware(self) -> List[BaseMiddleware]:
@@ -132,6 +151,11 @@ class MiddlewareFactory:
         if logging_middleware:
             middleware_list.append(logging_middleware)
         
+        # Create user info middleware
+        user_info_middleware = self.create_user_info_middleware()
+        if user_info_middleware:
+            middleware_list.append(user_info_middleware)
+        
         logger.info(f"Created {len(middleware_list)} middleware components")
         return middleware_list
     
@@ -152,14 +176,14 @@ class MiddlewareFactory:
                 return middleware
         return None
     
-    def get_security_middleware(self) -> Optional[SecurityMiddleware]:
+    def get_security_middleware(self) -> Optional[UnifiedSecurityMiddleware]:
         """
-        Get security middleware instance.
+        Get unified security middleware instance.
         
         Returns:
-            SecurityMiddleware instance or None if not found
+            UnifiedSecurityMiddleware instance or None if not found
         """
-        return self.get_middleware_by_type(SecurityMiddleware)
+        return self.get_middleware_by_type(UnifiedSecurityMiddleware)
     
     def validate_middleware_config(self) -> bool:
         """
@@ -213,7 +237,7 @@ class MiddlewareFactory:
             middleware_type = type(middleware).__name__
             info["middleware_types"].append(middleware_type)
             
-            if isinstance(middleware, SecurityMiddleware):
+            if isinstance(middleware, UnifiedSecurityMiddleware):
                 info["security_enabled"] = True
         
         return info

mcp_proxy_adapter/api/middleware/protocol_middleware.py

@@ -4,12 +4,12 @@ Protocol middleware module.
 This module provides middleware for validating protocol access based on configuration.
 """
 
-from typing import Callable
+from typing import Callable, Dict, Any, Optional
 from fastapi import Request, Response
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.responses import JSONResponse
 
-from mcp_proxy_adapter.core.protocol_manager import protocol_manager
+from mcp_proxy_adapter.core.protocol_manager import get_protocol_manager
 from mcp_proxy_adapter.core.logging import logger
 
 
@@ -21,28 +21,73 @@ class ProtocolMiddleware(BaseHTTPMiddleware):
     based on the protocol configuration.
     """
     
-    def __init__(self, app, protocol_manager_instance=None):
+    def __init__(self, app, app_config: Optional[Dict[str, Any]] = None):
         """
         Initialize protocol middleware.
-        
+
         Args:
             app: FastAPI application
-            protocol_manager_instance: Protocol manager instance (optional)
+            app_config: Application configuration dictionary (optional)
         """
         super().__init__(app)
-        self.protocol_manager = protocol_manager_instance or protocol_manager
+        # Normalize config to dictionary
+        normalized_config: Optional[Dict[str, Any]]
+        if app_config is None:
+            normalized_config = None
+        elif hasattr(app_config, 'get_all'):
+            try:
+                normalized_config = app_config.get_all()
+            except Exception as e:
+                logger.debug(f"ProtocolMiddleware - Error calling get_all(): {e}, type: {type(app_config)}")
+                normalized_config = None
+        elif hasattr(app_config, 'keys'):
+            normalized_config = app_config  # Already dict-like
+        else:
+            logger.debug(f"ProtocolMiddleware - app_config is not dict-like, type: {type(app_config)}, value: {repr(app_config)}")
+            normalized_config = None
+
+        logger.debug(f"ProtocolMiddleware - normalized_config type: {type(normalized_config)}")
+        if normalized_config:
+            logger.debug(f"ProtocolMiddleware - protocols in config: {'protocols' in normalized_config}")
+            if 'protocols' in normalized_config:
+                logger.debug(f"ProtocolMiddleware - protocols type: {type(normalized_config['protocols'])}")
+
+        self.app_config = normalized_config
+        # Get protocol manager with current configuration
+        self.protocol_manager = get_protocol_manager(normalized_config)
+    
+    def update_config(self, new_config: Dict[str, Any]):
+        """
+        Update configuration and reload protocol manager.
+        
+        Args:
+            new_config: New configuration dictionary
+        """
+        # Normalize new config
+        if hasattr(new_config, 'get_all'):
+            try:
+                self.app_config = new_config.get_all()
+            except Exception:
+                self.app_config = None
+        elif hasattr(new_config, 'keys'):
+            self.app_config = new_config
+        else:
+            self.app_config = None
+        self.protocol_manager = get_protocol_manager(self.app_config)
+        logger.info("Protocol middleware configuration updated")
     
     async def dispatch(self, request: Request, call_next: Callable) -> Response:
         """
         Process request through protocol middleware.
-        
+
         Args:
             request: Incoming request
             call_next: Next middleware/endpoint function
-            
+
         Returns:
             Response object
         """
+        logger.debug(f"ProtocolMiddleware.dispatch called for {request.method} {request.url.path}")
         try:
             # Get protocol from request
             protocol = self._get_request_protocol(request)
@@ -116,20 +161,41 @@ class ProtocolMiddleware(BaseHTTPMiddleware):
         return "http"
 
 
-def setup_protocol_middleware(app, protocol_manager_instance=None):
+def setup_protocol_middleware(app, app_config: Optional[Dict[str, Any]] = None):
     """
     Setup protocol middleware for FastAPI application.
-    
+
     Args:
         app: FastAPI application
-        protocol_manager_instance: Protocol manager instance (optional)
+        app_config: Application configuration dictionary (optional)
     """
-    if protocol_manager_instance is None:
-        protocol_manager_instance = protocol_manager
-    
-    # Only add middleware if protocol management is enabled
-    if protocol_manager_instance.enabled:
-        app.add_middleware(ProtocolMiddleware, protocol_manager_instance=protocol_manager_instance)
+    logger.debug(f"setup_protocol_middleware - app_config type: {type(app_config)}")
+
+    # Check if protocol management is enabled
+    if app_config is None:
+        from mcp_proxy_adapter.config import config
+        app_config = config.get_all()
+        logger.debug(f"setup_protocol_middleware - loaded from global config, type: {type(app_config)}")
+
+    logger.debug(f"setup_protocol_middleware - final app_config type: {type(app_config)}")
+
+    if hasattr(app_config, 'get'):
+        logger.debug(f"setup_protocol_middleware - app_config keys: {list(app_config.keys()) if hasattr(app_config, 'keys') else 'no keys'}")
+        protocols_config = app_config.get("protocols", {})
+        logger.debug(f"setup_protocol_middleware - protocols_config type: {type(protocols_config)}")
+        enabled = protocols_config.get("enabled", True) if hasattr(protocols_config, 'get') else True
+    else:
+        logger.debug(f"setup_protocol_middleware - app_config is not dict-like: {repr(app_config)}")
+        enabled = True
+
+    logger.debug(f"setup_protocol_middleware - protocol management enabled: {enabled}")
+
+    if enabled:
+        # Create protocol middleware with current configuration
+        logger.debug(f"setup_protocol_middleware - creating ProtocolMiddleware with config type: {type(app_config)}")
+        middleware = ProtocolMiddleware(app, app_config)
+        logger.debug(f"setup_protocol_middleware - adding middleware to app")
+        app.add_middleware(ProtocolMiddleware, app_config=app_config)
         logger.info("Protocol middleware added to application")
     else:
-        logger.debug("Protocol management is disabled, skipping protocol middleware") 
+        logger.info("Protocol management is disabled, skipping protocol middleware") 

mcp_proxy_adapter/api/middleware/unified_security.py

@@ -0,0 +1,197 @@
+"""
+Unified Security Middleware - Direct Framework Integration
+
+This middleware now directly uses mcp_security_framework components
+instead of custom implementations.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import time
+import logging
+from typing import Dict, Any, Optional, Callable, Awaitable
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+# Direct import from framework
+try:
+    from mcp_security_framework.middleware.fastapi_middleware import FastAPISecurityMiddleware
+    from mcp_security_framework import SecurityManager
+    from mcp_security_framework.schemas.config import SecurityConfig
+    SECURITY_FRAMEWORK_AVAILABLE = True
+except ImportError:
+    SECURITY_FRAMEWORK_AVAILABLE = False
+    FastAPISecurityMiddleware = None
+    SecurityManager = None
+    SecurityConfig = None
+
+from mcp_proxy_adapter.core.logging import logger
+from mcp_proxy_adapter.core.security_integration import create_security_integration
+
+
+class SecurityValidationError(Exception):
+    """Security validation error."""
+    
+    def __init__(self, message: str, error_code: int):
+        self.message = message
+        self.error_code = error_code
+        super().__init__(self.message)
+
+
+class UnifiedSecurityMiddleware(BaseHTTPMiddleware):
+    """
+    Unified security middleware using mcp_security_framework.
+    
+    This middleware now directly uses the security framework's FastAPI middleware
+    and components instead of custom implementations.
+    """
+    
+    def __init__(self, app, config: Dict[str, Any]):
+        """
+        Initialize unified security middleware.
+        
+        Args:
+            app: FastAPI application
+            config: mcp_proxy_adapter configuration dictionary
+        """
+        super().__init__(app)
+        self.config = config
+        
+        # Create security integration
+        try:
+            security_config = config.get("security", {})
+            self.security_integration = create_security_integration(security_config)
+            # Use framework's FastAPI middleware
+            self.framework_middleware = self.security_integration.security_manager.create_fastapi_middleware()
+            logger.info("Using mcp_security_framework FastAPI middleware")
+            # IMPORTANT: Don't replace self.app! This breaks the middleware chain.
+            # Instead, store the framework middleware for use in dispatch method.
+            logger.info("Framework middleware will be used in dispatch method")
+        except Exception as e:
+            logger.error(f"Security framework integration failed: {e}")
+            # Instead of raising error, log warning and continue without security
+            logger.warning("Continuing without security framework - some security features will be disabled")
+            self.security_integration = None
+            self.framework_middleware = None
+            # Keep original app in place when framework middleware is unavailable
+            # BaseHTTPMiddleware initialized it via super().__init__(app)
+        
+        logger.info("Unified security middleware initialized")
+    
+    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
+        """
+        Process request using framework middleware.
+        
+        Args:
+            request: Request object
+            call_next: Next handler
+            
+        Returns:
+            Response object
+        """
+        try:
+            # Simple built-in API key enforcement if configured
+            security_cfg = self.config.get("security", {}) if isinstance(self.config, dict) else {}
+            auth_cfg = security_cfg.get("auth", {})
+            permissions_cfg = security_cfg.get("permissions", {})
+            public_paths = set(auth_cfg.get("public_paths", ["/health", "/docs", "/openapi.json"]))
+            # JSON-RPC endpoint must not be public when API key is required
+            public_paths.discard("/api/jsonrpc")
+            path = request.url.path
+            methods = set(auth_cfg.get("methods", []))
+            api_keys: Dict[str, str] = auth_cfg.get("api_keys", {}) or {}
+
+            # Enforce only for non-public paths when api_key method configured
+            if security_cfg.get("enabled", False) and ("api_key" in methods) and (path not in public_paths):
+                # Accept either X-API-Key or Authorization: Bearer
+                token = request.headers.get("X-API-Key")
+                if not token:
+                    authz = request.headers.get("Authorization", "")
+                    if authz.startswith("Bearer "):
+                        token = authz[7:]
+                if not token or (api_keys and token not in api_keys):
+                    from fastapi.responses import JSONResponse
+                    return JSONResponse(status_code=401, content={
+                        "error": {
+                            "code": 401,
+                            "message": "Unauthorized: invalid or missing API key",
+                            "type": "authentication_error"
+                        }
+                    })
+
+            # Continue with framework middleware or regular flow
+            if self.framework_middleware:
+                # If framework middleware exists, we need to call it manually
+                # This is a workaround since we can't chain ASGI apps in BaseHTTPMiddleware
+                logger.debug("Framework middleware exists, continuing with regular call_next")
+                return await call_next(request)
+            else:
+                # No framework middleware, continue normally
+                return await call_next(request)
+
+        except SecurityValidationError as e:
+            # Handle security validation errors
+            return await self._handle_security_error(request, e)
+        except Exception as e:
+            # Handle other errors
+            logger.error(f"Unexpected error in unified security middleware: {e}")
+            return await self._handle_general_error(request, e)
+    
+
+    
+    async def _handle_security_error(self, request: Request, error: SecurityValidationError) -> Response:
+        """
+        Handle security validation errors.
+        
+        Args:
+            request: Request object
+            error: Security validation error
+            
+        Returns:
+            Error response
+        """
+        from fastapi.responses import JSONResponse
+        
+        error_response = {
+            "error": {
+                "code": error.error_code,
+                "message": error.message,
+                "type": "security_validation_error"
+            }
+        }
+        
+        logger.warning(f"Security validation failed: {error.message}")
+        
+        return JSONResponse(
+            status_code=error.error_code,
+            content=error_response
+        )
+    
+    async def _handle_general_error(self, request: Request, error: Exception) -> Response:
+        """
+        Handle general errors.
+        
+        Args:
+            request: Request object
+            error: General error
+            
+        Returns:
+            Error response
+        """
+        from fastapi.responses import JSONResponse
+        
+        error_response = {
+                "error": {
+                "code": 500,
+                    "message": "Internal server error",
+                "type": "general_error"
+            }
+        }
+        
+        logger.error(f"General error in security middleware: {error}")
+        
+        return JSONResponse(
+            status_code=500,
+            content=error_response
+        )