PyPI - mcp-proxy-adapter - Versions diffs - 6.0.0__py3-none-any.whl → 6.0.1__py3-none-any.whl - Mend

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.0.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

mcp_proxy_adapter/__main__.py +27 -7
mcp_proxy_adapter/api/app.py +209 -79
mcp_proxy_adapter/api/handlers.py +16 -5
mcp_proxy_adapter/api/middleware/__init__.py +14 -9
mcp_proxy_adapter/api/middleware/command_permission_middleware.py +148 -0
mcp_proxy_adapter/api/middleware/factory.py +36 -12
mcp_proxy_adapter/api/middleware/protocol_middleware.py +84 -18
mcp_proxy_adapter/api/middleware/unified_security.py +197 -0
mcp_proxy_adapter/api/middleware/user_info_middleware.py +158 -0
mcp_proxy_adapter/commands/__init__.py +7 -1
mcp_proxy_adapter/commands/base.py +7 -4
mcp_proxy_adapter/commands/builtin_commands.py +8 -2
mcp_proxy_adapter/commands/command_registry.py +8 -0
mcp_proxy_adapter/commands/echo_command.py +81 -0
mcp_proxy_adapter/commands/health_command.py +1 -1
mcp_proxy_adapter/commands/help_command.py +21 -14
mcp_proxy_adapter/commands/proxy_registration_command.py +326 -185
mcp_proxy_adapter/commands/role_test_command.py +141 -0
mcp_proxy_adapter/commands/security_command.py +488 -0
mcp_proxy_adapter/commands/ssl_setup_command.py +234 -351
mcp_proxy_adapter/commands/token_management_command.py +1 -1
mcp_proxy_adapter/config.py +323 -40
mcp_proxy_adapter/core/app_factory.py +410 -0
mcp_proxy_adapter/core/app_runner.py +272 -0
mcp_proxy_adapter/core/certificate_utils.py +291 -73
mcp_proxy_adapter/core/client.py +574 -0
mcp_proxy_adapter/core/client_manager.py +284 -0
mcp_proxy_adapter/core/client_security.py +384 -0
mcp_proxy_adapter/core/logging.py +8 -3
mcp_proxy_adapter/core/mtls_asgi.py +156 -0
mcp_proxy_adapter/core/mtls_asgi_app.py +187 -0
mcp_proxy_adapter/core/protocol_manager.py +169 -10
mcp_proxy_adapter/core/proxy_client.py +602 -0
mcp_proxy_adapter/core/proxy_registration.py +299 -47
mcp_proxy_adapter/core/security_adapter.py +12 -15
mcp_proxy_adapter/core/security_integration.py +286 -0
mcp_proxy_adapter/core/server_adapter.py +282 -0
mcp_proxy_adapter/core/server_engine.py +270 -0
mcp_proxy_adapter/core/ssl_utils.py +13 -12
mcp_proxy_adapter/core/transport_manager.py +5 -5
mcp_proxy_adapter/core/unified_config_adapter.py +579 -0
mcp_proxy_adapter/examples/__init__.py +13 -4
mcp_proxy_adapter/examples/basic_framework/__init__.py +9 -0
mcp_proxy_adapter/examples/basic_framework/commands/__init__.py +4 -0
mcp_proxy_adapter/examples/basic_framework/hooks/__init__.py +4 -0
mcp_proxy_adapter/examples/basic_framework/main.py +44 -0
mcp_proxy_adapter/examples/commands/__init__.py +5 -0
mcp_proxy_adapter/examples/create_certificates_simple.py +550 -0
mcp_proxy_adapter/examples/debug_request_state.py +112 -0
mcp_proxy_adapter/examples/debug_role_chain.py +158 -0
mcp_proxy_adapter/examples/demo_client.py +275 -0
mcp_proxy_adapter/examples/examples/basic_framework/__init__.py +9 -0
mcp_proxy_adapter/examples/examples/basic_framework/commands/__init__.py +4 -0
mcp_proxy_adapter/examples/examples/basic_framework/hooks/__init__.py +4 -0
mcp_proxy_adapter/examples/examples/basic_framework/main.py +44 -0
mcp_proxy_adapter/examples/examples/full_application/__init__.py +12 -0
mcp_proxy_adapter/examples/examples/full_application/commands/__init__.py +7 -0
mcp_proxy_adapter/examples/examples/full_application/commands/custom_echo_command.py +80 -0
mcp_proxy_adapter/examples/examples/full_application/commands/dynamic_calculator_command.py +90 -0
mcp_proxy_adapter/examples/examples/full_application/hooks/__init__.py +7 -0
mcp_proxy_adapter/examples/examples/full_application/hooks/application_hooks.py +75 -0
mcp_proxy_adapter/examples/examples/full_application/hooks/builtin_command_hooks.py +71 -0
mcp_proxy_adapter/examples/examples/full_application/main.py +173 -0
mcp_proxy_adapter/examples/examples/full_application/proxy_endpoints.py +154 -0
mcp_proxy_adapter/examples/full_application/__init__.py +12 -0
mcp_proxy_adapter/examples/full_application/commands/__init__.py +7 -0
mcp_proxy_adapter/examples/full_application/commands/custom_echo_command.py +80 -0
mcp_proxy_adapter/examples/full_application/commands/dynamic_calculator_command.py +90 -0
mcp_proxy_adapter/examples/full_application/hooks/__init__.py +7 -0
mcp_proxy_adapter/examples/full_application/hooks/application_hooks.py +75 -0
mcp_proxy_adapter/examples/full_application/hooks/builtin_command_hooks.py +71 -0
mcp_proxy_adapter/examples/full_application/main.py +173 -0
mcp_proxy_adapter/examples/full_application/proxy_endpoints.py +154 -0
mcp_proxy_adapter/examples/generate_all_certificates.py +362 -0
mcp_proxy_adapter/examples/generate_certificates.py +177 -0
mcp_proxy_adapter/examples/generate_certificates_and_tokens.py +369 -0
mcp_proxy_adapter/examples/generate_test_configs.py +331 -0
mcp_proxy_adapter/examples/proxy_registration_example.py +334 -0
mcp_proxy_adapter/examples/run_example.py +59 -0
mcp_proxy_adapter/examples/run_full_test_suite.py +318 -0
mcp_proxy_adapter/examples/run_proxy_server.py +146 -0
mcp_proxy_adapter/examples/run_security_tests.py +544 -0
mcp_proxy_adapter/examples/run_security_tests_fixed.py +247 -0
mcp_proxy_adapter/examples/scripts/config_generator.py +740 -0
mcp_proxy_adapter/examples/scripts/create_certificates_simple.py +560 -0
mcp_proxy_adapter/examples/scripts/generate_certificates_and_tokens.py +369 -0
mcp_proxy_adapter/examples/security_test_client.py +782 -0
mcp_proxy_adapter/examples/setup_test_environment.py +328 -0
mcp_proxy_adapter/examples/test_config.py +148 -0
mcp_proxy_adapter/examples/test_config_generator.py +86 -0
mcp_proxy_adapter/examples/test_examples.py +281 -0
mcp_proxy_adapter/examples/universal_client.py +620 -0
mcp_proxy_adapter/main.py +66 -148
mcp_proxy_adapter/utils/config_generator.py +1008 -0
mcp_proxy_adapter/version.py +5 -2
mcp_proxy_adapter-6.0.1.dist-info/METADATA +679 -0
mcp_proxy_adapter-6.0.1.dist-info/RECORD +140 -0
mcp_proxy_adapter-6.0.1.dist-info/entry_points.txt +2 -0
{mcp_proxy_adapter-6.0.0.dist-info → mcp_proxy_adapter-6.0.1.dist-info}/licenses/LICENSE +2 -2
mcp_proxy_adapter/api/middleware/auth.py +0 -146
mcp_proxy_adapter/api/middleware/auth_adapter.py +0 -235
mcp_proxy_adapter/api/middleware/mtls_adapter.py +0 -305
mcp_proxy_adapter/api/middleware/mtls_middleware.py +0 -296
mcp_proxy_adapter/api/middleware/rate_limit.py +0 -152
mcp_proxy_adapter/api/middleware/rate_limit_adapter.py +0 -241
mcp_proxy_adapter/api/middleware/roles_adapter.py +0 -365
mcp_proxy_adapter/api/middleware/roles_middleware.py +0 -381
mcp_proxy_adapter/api/middleware/security.py +0 -376
mcp_proxy_adapter/api/middleware/token_auth_middleware.py +0 -261
mcp_proxy_adapter/examples/README.md +0 -124
mcp_proxy_adapter/examples/basic_server/README.md +0 -60
mcp_proxy_adapter/examples/basic_server/__init__.py +0 -7
mcp_proxy_adapter/examples/basic_server/basic_custom_settings.json +0 -39
mcp_proxy_adapter/examples/basic_server/config.json +0 -70
mcp_proxy_adapter/examples/basic_server/config_all_protocols.json +0 -54
mcp_proxy_adapter/examples/basic_server/config_http.json +0 -70
mcp_proxy_adapter/examples/basic_server/config_http_only.json +0 -52
mcp_proxy_adapter/examples/basic_server/config_https.json +0 -58
mcp_proxy_adapter/examples/basic_server/config_mtls.json +0 -58
mcp_proxy_adapter/examples/basic_server/config_ssl.json +0 -46
mcp_proxy_adapter/examples/basic_server/custom_settings_example.py +0 -238
mcp_proxy_adapter/examples/basic_server/server.py +0 -114
mcp_proxy_adapter/examples/custom_commands/README.md +0 -127
mcp_proxy_adapter/examples/custom_commands/__init__.py +0 -27
mcp_proxy_adapter/examples/custom_commands/advanced_hooks.py +0 -566
mcp_proxy_adapter/examples/custom_commands/auto_commands/__init__.py +0 -6
mcp_proxy_adapter/examples/custom_commands/auto_commands/auto_echo_command.py +0 -103
mcp_proxy_adapter/examples/custom_commands/auto_commands/auto_info_command.py +0 -111
mcp_proxy_adapter/examples/custom_commands/auto_commands/test_command.py +0 -105
mcp_proxy_adapter/examples/custom_commands/catalog/commands/test_command.py +0 -129
mcp_proxy_adapter/examples/custom_commands/config.json +0 -118
mcp_proxy_adapter/examples/custom_commands/config_all_protocols.json +0 -46
mcp_proxy_adapter/examples/custom_commands/config_https_only.json +0 -46
mcp_proxy_adapter/examples/custom_commands/config_https_transport.json +0 -33
mcp_proxy_adapter/examples/custom_commands/config_mtls_only.json +0 -46
mcp_proxy_adapter/examples/custom_commands/config_mtls_transport.json +0 -33
mcp_proxy_adapter/examples/custom_commands/config_single_transport.json +0 -33
mcp_proxy_adapter/examples/custom_commands/custom_health_command.py +0 -169
mcp_proxy_adapter/examples/custom_commands/custom_help_command.py +0 -215
mcp_proxy_adapter/examples/custom_commands/custom_openapi_generator.py +0 -76
mcp_proxy_adapter/examples/custom_commands/custom_settings.json +0 -96
mcp_proxy_adapter/examples/custom_commands/custom_settings_manager.py +0 -241
mcp_proxy_adapter/examples/custom_commands/data_transform_command.py +0 -135
mcp_proxy_adapter/examples/custom_commands/echo_command.py +0 -122
mcp_proxy_adapter/examples/custom_commands/full_help_response.json +0 -1
mcp_proxy_adapter/examples/custom_commands/generated_openapi.json +0 -629
mcp_proxy_adapter/examples/custom_commands/get_openapi.py +0 -103
mcp_proxy_adapter/examples/custom_commands/hooks.py +0 -230
mcp_proxy_adapter/examples/custom_commands/intercept_command.py +0 -123
mcp_proxy_adapter/examples/custom_commands/loadable_commands/test_ignored.py +0 -129
mcp_proxy_adapter/examples/custom_commands/manual_echo_command.py +0 -103
mcp_proxy_adapter/examples/custom_commands/proxy_connection_manager.py +0 -278
mcp_proxy_adapter/examples/custom_commands/server.py +0 -252
mcp_proxy_adapter/examples/custom_commands/simple_openapi_server.py +0 -75
mcp_proxy_adapter/examples/custom_commands/start_server_with_proxy_manager.py +0 -299
mcp_proxy_adapter/examples/custom_commands/start_server_with_registration.py +0 -278
mcp_proxy_adapter/examples/custom_commands/test_hooks.py +0 -176
mcp_proxy_adapter/examples/custom_commands/test_openapi.py +0 -27
mcp_proxy_adapter/examples/custom_commands/test_registry.py +0 -23
mcp_proxy_adapter/examples/custom_commands/test_simple.py +0 -19
mcp_proxy_adapter/examples/custom_project_example/README.md +0 -103
mcp_proxy_adapter/examples/custom_project_example/README_EN.md +0 -103
mcp_proxy_adapter/examples/deployment/README.md +0 -49
mcp_proxy_adapter/examples/deployment/__init__.py +0 -7
mcp_proxy_adapter/examples/deployment/config.development.json +0 -8
mcp_proxy_adapter/examples/deployment/config.json +0 -29
mcp_proxy_adapter/examples/deployment/config.production.json +0 -12
mcp_proxy_adapter/examples/deployment/config.staging.json +0 -11
mcp_proxy_adapter/examples/deployment/docker-compose.yml +0 -31
mcp_proxy_adapter/examples/deployment/run.sh +0 -43
mcp_proxy_adapter/examples/deployment/run_docker.sh +0 -84
mcp_proxy_adapter/examples/simple_custom_commands/README.md +0 -149
mcp_proxy_adapter/examples/simple_custom_commands/README_EN.md +0 -149
mcp_proxy_adapter/schemas/base_schema.json +0 -114
mcp_proxy_adapter/schemas/openapi_schema.json +0 -314
mcp_proxy_adapter/schemas/roles_schema.json +0 -162
mcp_proxy_adapter/tests/__init__.py +0 -0
mcp_proxy_adapter/tests/api/__init__.py +0 -3
mcp_proxy_adapter/tests/api/test_cmd_endpoint.py +0 -115
mcp_proxy_adapter/tests/api/test_custom_openapi.py +0 -617
mcp_proxy_adapter/tests/api/test_handlers.py +0 -522
mcp_proxy_adapter/tests/api/test_middleware.py +0 -340
mcp_proxy_adapter/tests/api/test_schemas.py +0 -546
mcp_proxy_adapter/tests/api/test_tool_integration.py +0 -531
mcp_proxy_adapter/tests/commands/__init__.py +0 -3
mcp_proxy_adapter/tests/commands/test_config_command.py +0 -211
mcp_proxy_adapter/tests/commands/test_echo_command.py +0 -127
mcp_proxy_adapter/tests/commands/test_help_command.py +0 -136
mcp_proxy_adapter/tests/conftest.py +0 -131
mcp_proxy_adapter/tests/functional/__init__.py +0 -3
mcp_proxy_adapter/tests/functional/test_api.py +0 -253
mcp_proxy_adapter/tests/integration/__init__.py +0 -3
mcp_proxy_adapter/tests/integration/test_cmd_integration.py +0 -129
mcp_proxy_adapter/tests/integration/test_integration.py +0 -255
mcp_proxy_adapter/tests/performance/__init__.py +0 -3
mcp_proxy_adapter/tests/performance/test_performance.py +0 -189
mcp_proxy_adapter/tests/stubs/__init__.py +0 -10
mcp_proxy_adapter/tests/stubs/echo_command.py +0 -104
mcp_proxy_adapter/tests/test_api_endpoints.py +0 -271
mcp_proxy_adapter/tests/test_api_handlers.py +0 -289
mcp_proxy_adapter/tests/test_base_command.py +0 -123
mcp_proxy_adapter/tests/test_batch_requests.py +0 -117
mcp_proxy_adapter/tests/test_command_registry.py +0 -281
mcp_proxy_adapter/tests/test_config.py +0 -127
mcp_proxy_adapter/tests/test_utils.py +0 -65
mcp_proxy_adapter/tests/unit/__init__.py +0 -3
mcp_proxy_adapter/tests/unit/test_base_command.py +0 -436
mcp_proxy_adapter/tests/unit/test_config.py +0 -270
mcp_proxy_adapter-6.0.0.dist-info/METADATA +0 -201
mcp_proxy_adapter-6.0.0.dist-info/RECORD +0 -179
{mcp_proxy_adapter-6.0.0.dist-info → mcp_proxy_adapter-6.0.1.dist-info}/WHEEL +0 -0
{mcp_proxy_adapter-6.0.0.dist-info → mcp_proxy_adapter-6.0.1.dist-info}/top_level.txt +0 -0

mcp_proxy_adapter/api/middleware/mtls_adapter.py DELETED Viewed

@@ -1,305 +0,0 @@
-"""
-MTLS Middleware Adapter for backward compatibility.
-This module provides an adapter that maintains the same interface as MTLSMiddleware
-while using the new SecurityMiddleware internally.
-"""
-import logging
-from typing import Dict, List, Optional, Any, Callable, Awaitable
-from cryptography import x509
-from cryptography.hazmat.primitives import serialization
-from fastapi import Request, Response
-from starlette.responses import JSONResponse
-from mcp_proxy_adapter.core.logging import logger
-from mcp_proxy_adapter.core.auth_validator import AuthValidator
-from mcp_proxy_adapter.core.role_utils import RoleUtils
-from mcp_proxy_adapter.core.certificate_utils import CertificateUtils
-from .base import BaseMiddleware
-from .security import SecurityMiddleware
-class MTLSMiddlewareAdapter(BaseMiddleware):
-    """
-    Adapter for MTLSMiddleware that uses SecurityMiddleware internally.
-    Maintains the same interface as the original MTLSMiddleware for backward compatibility.
-    """
-    def __init__(self, app, mtls_config: Dict[str, Any]):
-        """
-        Initialize mTLS middleware adapter.
-        Args:
-            app: FastAPI application
-            mtls_config: mTLS configuration dictionary
-        """
-        super().__init__(app)
-        # Store original configuration for backward compatibility
-        self.mtls_config = mtls_config
-        self.auth_validator = AuthValidator()
-        self.role_utils = RoleUtils()
-        self.certificate_utils = CertificateUtils()
-        # Extract configuration
-        self.enabled = mtls_config.get("enabled", False)
-        self.ca_cert_path = mtls_config.get("ca_cert")
-        self.verify_client = mtls_config.get("verify_client", True)
-        self.client_cert_required = mtls_config.get("client_cert_required", True)
-        self.allowed_roles = mtls_config.get("allowed_roles", [])
-        self.require_roles = mtls_config.get("require_roles", False)
-        # Create internal security middleware
-        self.security_middleware = self._create_security_middleware()
-        logger.info(f"MTLSMiddlewareAdapter initialized: enabled={self.enabled}, "
-                   f"verify_client={self.verify_client}, "
-                   f"client_cert_required={self.client_cert_required}")
-    def _create_security_middleware(self) -> SecurityMiddleware:
-        """
-        Create internal SecurityMiddleware with MTLSMiddleware configuration.
-        Returns:
-            SecurityMiddleware instance
-        """
-        # Convert MTLSMiddleware config to SecurityMiddleware config
-        security_config = {
-            "security": {
-                "enabled": self.enabled,
-                "auth": {
-                    "enabled": False
-                },
-                "ssl": {
-                    "enabled": self.enabled,
-                    "cert_file": None,
-                    "key_file": None,
-                    "ca_cert": self.ca_cert_path,
-                    "min_tls_version": "TLSv1.2",
-                    "verify_client": self.verify_client,
-                    "client_cert_required": self.client_cert_required
-                },
-                "permissions": {
-                    "enabled": self.require_roles,
-                    "roles_file": None,
-                    "default_role": "user",
-                    "deny_by_default": True
-                },
-                "rate_limit": {
-                    "enabled": False
-                }
-            }
-        }
-        return SecurityMiddleware(self.app, security_config)
-    async def before_request(self, request: Request) -> None:
-        """
-        Process request before calling the main handler.
-        Args:
-            request: FastAPI request object
-        """
-        if not self.enabled:
-            return
-        try:
-            # Use SecurityMiddleware for validation
-            await self.security_middleware.before_request(request)
-            # Additional MTLS-specific processing
-            client_cert = self._extract_client_certificate(request)
-            if client_cert:
-                # Store certificate and roles in request state for backward compatibility
-                request.state.client_certificate = client_cert
-                request.state.client_roles = self._extract_roles_from_certificate(client_cert)
-                request.state.client_common_name = self._get_common_name(client_cert)
-                logger.debug(f"mTLS authentication successful for {request.state.client_common_name} "
-                            f"with roles: {request.state.client_roles}")
-        except Exception as e:
-            logger.error(f"mTLS authentication failed: {e}")
-            raise
-    def _extract_client_certificate(self, request: Request) -> Optional[x509.Certificate]:
-        """
-        Extract client certificate from request.
-        Args:
-            request: FastAPI request object
-        Returns:
-            Client certificate or None
-        """
-        # Check for certificate in request headers
-        cert_header = request.headers.get("X-Client-Cert")
-        if cert_header:
-            try:
-                cert_data = cert_header.encode('utf-8')
-                return x509.load_pem_x509_certificate(cert_data)
-            except Exception as e:
-                logger.warning(f"Failed to parse certificate from header: {e}")
-        # Check for certificate in request state (from SSL context)
-        if hasattr(request, 'client') and hasattr(request.client, 'get_extra_info'):
-            cert = request.client.get_extra_info('ssl_object')
-            if cert:
-                return cert
-        return None
-    def _validate_client_certificate(self, cert: x509.Certificate) -> bool:
-        """
-        Validate client certificate.
-        Args:
-            cert: Client certificate
-        Returns:
-            True if valid, False otherwise
-        """
-        try:
-            # Basic validation
-            if not self.certificate_utils.is_certificate_valid(cert):
-                return False
-            # CA validation if CA cert is provided
-            if self.ca_cert_path:
-                return self.certificate_utils.validate_certificate_chain(cert, self.ca_cert_path)
-            return True
-        except Exception as e:
-            logger.error(f"Certificate validation failed: {e}")
-            return False
-    def _extract_roles_from_certificate(self, cert: x509.Certificate) -> List[str]:
-        """
-        Extract roles from client certificate.
-        Args:
-            cert: Client certificate
-        Returns:
-            List of roles
-        """
-        try:
-            # Extract from subject alternative names
-            roles = []
-            # Check for roles in SAN
-            san = cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
-            if san:
-                for name in san.value:
-                    if isinstance(name, x509.DNSName):
-                        if name.value.startswith("role="):
-                            role = name.value.split("=", 1)[1]
-                            roles.append(role)
-            # Check for roles in subject
-            subject = cert.subject
-            for attr in subject:
-                if attr.oid.dotted_string == "2.5.4.3":  # Common Name
-                    if attr.value.startswith("role="):
-                        role = attr.value.split("=", 1)[1]
-                        roles.append(role)
-            # Check allowed roles if specified
-            if self.allowed_roles:
-                roles = [role for role in roles if role in self.allowed_roles]
-            return roles
-        except Exception as e:
-            logger.error(f"Failed to extract roles from certificate: {e}")
-            return []
-    def _get_common_name(self, cert: x509.Certificate) -> str:
-        """
-        Get common name from certificate.
-        Args:
-            cert: Client certificate
-        Returns:
-            Common name
-        """
-        try:
-            subject = cert.subject
-            for attr in subject:
-                if attr.oid.dotted_string == "2.5.4.3":  # Common Name
-                    return attr.value
-            return "unknown"
-        except Exception:
-            return "unknown"
-    def _validate_access(self, roles: List[str]) -> bool:
-        """
-        Validate access based on roles.
-        Args:
-            roles: List of client roles
-        Returns:
-            True if access is allowed, False otherwise
-        """
-        if not self.require_roles:
-            return True
-        if not roles:
-            return False
-        # Check if any role is allowed
-        return any(role in self.allowed_roles for role in roles)
-    def get_client_certificate(self, request: Request) -> Optional[x509.Certificate]:
-        """
-        Get client certificate from request state (backward compatibility).
-        Args:
-            request: Request object
-        Returns:
-            Client certificate or None
-        """
-        return getattr(request.state, 'client_certificate', None)
-    def get_client_roles(self, request: Request) -> List[str]:
-        """
-        Get client roles from request state (backward compatibility).
-        Args:
-            request: Request object
-        Returns:
-            List of client roles
-        """
-        return getattr(request.state, 'client_roles', [])
-    def get_client_common_name(self, request: Request) -> str:
-        """
-        Get client common name from request state (backward compatibility).
-        Args:
-            request: Request object
-        Returns:
-            Client common name
-        """
-        return getattr(request.state, 'client_common_name', 'unknown')
-    def is_mtls_authenticated(self, request: Request) -> bool:
-        """
-        Check if request is mTLS authenticated (backward compatibility).
-        Args:
-            request: Request object
-        Returns:
-            True if mTLS authenticated, False otherwise
-        """
-        return hasattr(request.state, 'client_certificate') and request.state.client_certificate is not None

mcp_proxy_adapter/api/middleware/mtls_middleware.py DELETED Viewed

@@ -1,296 +0,0 @@
-"""
-mTLS Middleware
-This module provides middleware for mutual TLS (mTLS) authentication.
-Extracts and validates client certificates, extracts roles, and validates access.
-Author: MCP Proxy Adapter Team
-Version: 1.0.0
-"""
-import logging
-from typing import Dict, List, Optional, Any
-from cryptography import x509
-from cryptography.hazmat.primitives import serialization
-from fastapi import Request, Response
-from starlette.middleware.base import BaseHTTPMiddleware
-from ...core.auth_validator import AuthValidator
-from ...core.role_utils import RoleUtils
-from ...core.certificate_utils import CertificateUtils
-from .base import BaseMiddleware
-logger = logging.getLogger(__name__)
-class MTLSMiddleware(BaseMiddleware):
-    """
-    Middleware for mTLS authentication.
-    Extracts client certificates from requests, validates them against CA,
-    extracts roles, and validates access based on configuration.
-    """
-    def __init__(self, app, mtls_config: Dict[str, Any]):
-        """
-        Initialize mTLS middleware.
-        Args:
-            app: FastAPI application
-            mtls_config: mTLS configuration dictionary
-        """
-        super().__init__(app)
-        self.mtls_config = mtls_config
-        self.auth_validator = AuthValidator()
-        self.role_utils = RoleUtils()
-        self.certificate_utils = CertificateUtils()
-        # Extract configuration
-        self.enabled = mtls_config.get("enabled", False)
-        self.ca_cert_path = mtls_config.get("ca_cert")
-        self.verify_client = mtls_config.get("verify_client", True)
-        self.client_cert_required = mtls_config.get("client_cert_required", True)
-        self.allowed_roles = mtls_config.get("allowed_roles", [])
-        self.require_roles = mtls_config.get("require_roles", False)
-        logger.info(f"mTLS middleware initialized: enabled={self.enabled}, "
-                   f"verify_client={self.verify_client}, "
-                   f"client_cert_required={self.client_cert_required}")
-    async def before_request(self, request: Request) -> None:
-        """
-        Process request before calling the main handler.
-        Args:
-            request: FastAPI request object
-        """
-        if not self.enabled:
-            return
-        try:
-            # Extract client certificate
-            client_cert = self._extract_client_certificate(request)
-            if client_cert is None:
-                if self.client_cert_required:
-                    raise ValueError("Client certificate is required but not provided")
-                return
-            # Validate client certificate
-            if not self._validate_client_certificate(client_cert):
-                raise ValueError("Client certificate validation failed")
-            # Extract roles from certificate
-            roles = self._extract_roles_from_certificate(client_cert)
-            # Validate access based on roles
-            if self.require_roles and not self._validate_access(roles):
-                raise ValueError("Access denied: insufficient roles")
-            # Store certificate and roles in request state
-            request.state.client_certificate = client_cert
-            request.state.client_roles = roles
-            request.state.client_common_name = self._get_common_name(client_cert)
-            logger.debug(f"mTLS authentication successful for {request.state.client_common_name} "
-                        f"with roles: {roles}")
-        except Exception as e:
-            logger.error(f"mTLS authentication failed: {e}")
-            raise
-    def _extract_client_certificate(self, request: Request) -> Optional[x509.Certificate]:
-        """
-        Extract client certificate from request.
-        Args:
-            request: FastAPI request object
-        Returns:
-            Client certificate object or None if not found
-        """
-        try:
-            # Check if client certificate is available in SSL context
-            if hasattr(request, 'scope') and 'ssl' in request.scope:
-                ssl_context = request.scope['ssl']
-                if hasattr(ssl_context, 'getpeercert'):
-                    cert_data = ssl_context.getpeercert(binary_form=True)
-                    if cert_data:
-                        return x509.load_der_x509_certificate(cert_data)
-            # Check for certificate in headers (for proxy scenarios)
-            cert_header = request.headers.get('ssl-client-cert')
-            if cert_header:
-                # Remove header prefix if present
-                if cert_header.startswith('-----BEGIN CERTIFICATE-----'):
-                    cert_data = cert_header.encode('utf-8')
-                else:
-                    # Assume it's base64 encoded
-                    import base64
-                    cert_data = base64.b64decode(cert_header)
-                return x509.load_pem_x509_certificate(cert_data)
-            return None
-        except Exception as e:
-            logger.error(f"Failed to extract client certificate: {e}")
-            return None
-    def _validate_client_certificate(self, cert: x509.Certificate) -> bool:
-        """
-        Validate client certificate.
-        Args:
-            cert: Client certificate object
-        Returns:
-            True if certificate is valid, False otherwise
-        """
-        try:
-            if not self.verify_client:
-                return True
-            # Convert certificate to PEM format for validation
-            cert_pem = cert.public_bytes(serialization.Encoding.PEM)
-            # Use AuthValidator to validate certificate
-            result = self.auth_validator.validate_certificate_data(cert_pem)
-            if not result.is_valid:
-                logger.warning(f"Certificate validation failed: {result.error_message}")
-                return False
-            # Validate certificate chain if CA is provided
-            if self.ca_cert_path and self.ca_cert_path != "None":
-                # Create temporary file for certificate
-                import tempfile
-                import os
-                with tempfile.NamedTemporaryFile(mode='wb', suffix='.crt', delete=False) as f:
-                    f.write(cert_pem)
-                    temp_cert_path = f.name
-                try:
-                    chain_valid = self.certificate_utils.validate_certificate_chain(
-                        temp_cert_path, self.ca_cert_path
-                    )
-                    if not chain_valid:
-                        logger.warning("Certificate chain validation failed")
-                        return False
-                finally:
-                    os.unlink(temp_cert_path)
-            return True
-        except Exception as e:
-            logger.error(f"Failed to validate client certificate: {e}")
-            return False
-    def _extract_roles_from_certificate(self, cert: x509.Certificate) -> List[str]:
-        """
-        Extract roles from client certificate.
-        Args:
-            cert: Client certificate object
-        Returns:
-            List of roles extracted from certificate
-        """
-        try:
-            return self.certificate_utils.extract_roles_from_certificate_object(cert)
-        except Exception as e:
-            logger.error(f"Failed to extract roles from certificate: {e}")
-            return []
-    def _validate_access(self, roles: List[str]) -> bool:
-        """
-        Validate access based on roles.
-        Args:
-            roles: List of roles from client certificate
-        Returns:
-            True if access is allowed, False otherwise
-        """
-        try:
-            if not self.allowed_roles:
-                return True
-            if not roles:
-                return False
-            # Check if any of the client roles match allowed roles
-            for client_role in roles:
-                for allowed_role in self.allowed_roles:
-                    if self.role_utils.compare_roles(client_role, allowed_role):
-                        return True
-            return False
-        except Exception as e:
-            logger.error(f"Failed to validate access: {e}")
-            return False
-    def _get_common_name(self, cert: x509.Certificate) -> str:
-        """
-        Get common name from certificate.
-        Args:
-            cert: Certificate object
-        Returns:
-            Common name or empty string if not found
-        """
-        try:
-            for name_attribute in cert.subject:
-                if name_attribute.oid == x509.NameOID.COMMON_NAME:
-                    return str(name_attribute.value)
-            return ""
-        except Exception as e:
-            logger.error(f"Failed to get common name: {e}")
-            return ""
-    async def handle_error(self, request: Request, exception: Exception) -> Response:
-        """
-        Handle mTLS authentication errors.
-        Args:
-            request: FastAPI request object
-            exception: Exception that occurred
-        Returns:
-            Error response
-        """
-        from fastapi.responses import JSONResponse
-        error_message = str(exception)
-        if "certificate is required" in error_message.lower():
-            status_code = 401
-            error_code = -32009  # Certificate not found
-        elif "validation failed" in error_message.lower():
-            status_code = 401
-            error_code = -32003  # Certificate validation failed
-        elif "access denied" in error_message.lower():
-            status_code = 403
-            error_code = -32007  # Role validation failed
-        else:
-            status_code = 500
-            error_code = -32603  # Internal error
-        return JSONResponse(
-            status_code=status_code,
-            content={
-                "jsonrpc": "2.0",
-                "error": {
-                    "code": error_code,
-                    "message": error_message,
-                    "data": {
-                        "validation_type": "mtls",
-                        "request_id": getattr(request.state, 'request_id', None)
-                    }
-                },
-                "id": None
-            }
-        )

mcp-proxy-adapter 6.0.0__py3-none-any.whl → 6.0.1__py3-none-any.whl

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.0.1py3-none-any.whl