PyPI - mcp-proxy-adapter - Versions diffs - 6.0.0__py3-none-any.whl → 6.1.0__py3-none-any.whl - Mend

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.1.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (259) hide show

mcp_proxy_adapter/api/middleware/mtls_middleware.py DELETED Viewed

@@ -1,296 +0,0 @@
-"""
-mTLS Middleware
-This module provides middleware for mutual TLS (mTLS) authentication.
-Extracts and validates client certificates, extracts roles, and validates access.
-Author: MCP Proxy Adapter Team
-Version: 1.0.0
-"""
-import logging
-from typing import Dict, List, Optional, Any
-from cryptography import x509
-from cryptography.hazmat.primitives import serialization
-from fastapi import Request, Response
-from starlette.middleware.base import BaseHTTPMiddleware
-from ...core.auth_validator import AuthValidator
-from ...core.role_utils import RoleUtils
-from ...core.certificate_utils import CertificateUtils
-from .base import BaseMiddleware
-logger = logging.getLogger(__name__)
-class MTLSMiddleware(BaseMiddleware):
-    """
-    Middleware for mTLS authentication.
-    Extracts client certificates from requests, validates them against CA,
-    extracts roles, and validates access based on configuration.
-    """
-    def __init__(self, app, mtls_config: Dict[str, Any]):
-        """
-        Initialize mTLS middleware.
-        Args:
-            app: FastAPI application
-            mtls_config: mTLS configuration dictionary
-        """
-        super().__init__(app)
-        self.mtls_config = mtls_config
-        self.auth_validator = AuthValidator()
-        self.role_utils = RoleUtils()
-        self.certificate_utils = CertificateUtils()
-        # Extract configuration
-        self.enabled = mtls_config.get("enabled", False)
-        self.ca_cert_path = mtls_config.get("ca_cert")
-        self.verify_client = mtls_config.get("verify_client", True)
-        self.client_cert_required = mtls_config.get("client_cert_required", True)
-        self.allowed_roles = mtls_config.get("allowed_roles", [])
-        self.require_roles = mtls_config.get("require_roles", False)
-        logger.info(f"mTLS middleware initialized: enabled={self.enabled}, "
-                   f"verify_client={self.verify_client}, "
-                   f"client_cert_required={self.client_cert_required}")
-    async def before_request(self, request: Request) -> None:
-        """
-        Process request before calling the main handler.
-        Args:
-            request: FastAPI request object
-        """
-        if not self.enabled:
-            return
-        try:
-            # Extract client certificate
-            client_cert = self._extract_client_certificate(request)
-            if client_cert is None:
-                if self.client_cert_required:
-                    raise ValueError("Client certificate is required but not provided")
-                return
-            # Validate client certificate
-            if not self._validate_client_certificate(client_cert):
-                raise ValueError("Client certificate validation failed")
-            # Extract roles from certificate
-            roles = self._extract_roles_from_certificate(client_cert)
-            # Validate access based on roles
-            if self.require_roles and not self._validate_access(roles):
-                raise ValueError("Access denied: insufficient roles")
-            # Store certificate and roles in request state
-            request.state.client_certificate = client_cert
-            request.state.client_roles = roles
-            request.state.client_common_name = self._get_common_name(client_cert)
-            logger.debug(f"mTLS authentication successful for {request.state.client_common_name} "
-                        f"with roles: {roles}")
-        except Exception as e:
-            logger.error(f"mTLS authentication failed: {e}")
-            raise
-    def _extract_client_certificate(self, request: Request) -> Optional[x509.Certificate]:
-        """
-        Extract client certificate from request.
-        Args:
-            request: FastAPI request object
-        Returns:
-            Client certificate object or None if not found
-        """
-        try:
-            # Check if client certificate is available in SSL context
-            if hasattr(request, 'scope') and 'ssl' in request.scope:
-                ssl_context = request.scope['ssl']
-                if hasattr(ssl_context, 'getpeercert'):
-                    cert_data = ssl_context.getpeercert(binary_form=True)
-                    if cert_data:
-                        return x509.load_der_x509_certificate(cert_data)
-            # Check for certificate in headers (for proxy scenarios)
-            cert_header = request.headers.get('ssl-client-cert')
-            if cert_header:
-                # Remove header prefix if present
-                if cert_header.startswith('-----BEGIN CERTIFICATE-----'):
-                    cert_data = cert_header.encode('utf-8')
-                else:
-                    # Assume it's base64 encoded
-                    import base64
-                    cert_data = base64.b64decode(cert_header)
-                return x509.load_pem_x509_certificate(cert_data)
-            return None
-        except Exception as e:
-            logger.error(f"Failed to extract client certificate: {e}")
-            return None
-    def _validate_client_certificate(self, cert: x509.Certificate) -> bool:
-        """
-        Validate client certificate.
-        Args:
-            cert: Client certificate object
-        Returns:
-            True if certificate is valid, False otherwise
-        """
-        try:
-            if not self.verify_client:
-                return True
-            # Convert certificate to PEM format for validation
-            cert_pem = cert.public_bytes(serialization.Encoding.PEM)
-            # Use AuthValidator to validate certificate
-            result = self.auth_validator.validate_certificate_data(cert_pem)
-            if not result.is_valid:
-                logger.warning(f"Certificate validation failed: {result.error_message}")
-                return False
-            # Validate certificate chain if CA is provided
-            if self.ca_cert_path and self.ca_cert_path != "None":
-                # Create temporary file for certificate
-                import tempfile
-                import os
-                with tempfile.NamedTemporaryFile(mode='wb', suffix='.crt', delete=False) as f:
-                    f.write(cert_pem)
-                    temp_cert_path = f.name
-                try:
-                    chain_valid = self.certificate_utils.validate_certificate_chain(
-                        temp_cert_path, self.ca_cert_path
-                    )
-                    if not chain_valid:
-                        logger.warning("Certificate chain validation failed")
-                        return False
-                finally:
-                    os.unlink(temp_cert_path)
-            return True
-        except Exception as e:
-            logger.error(f"Failed to validate client certificate: {e}")
-            return False
-    def _extract_roles_from_certificate(self, cert: x509.Certificate) -> List[str]:
-        """
-        Extract roles from client certificate.
-        Args:
-            cert: Client certificate object
-        Returns:
-            List of roles extracted from certificate
-        """
-        try:
-            return self.certificate_utils.extract_roles_from_certificate_object(cert)
-        except Exception as e:
-            logger.error(f"Failed to extract roles from certificate: {e}")
-            return []
-    def _validate_access(self, roles: List[str]) -> bool:
-        """
-        Validate access based on roles.
-        Args:
-            roles: List of roles from client certificate
-        Returns:
-            True if access is allowed, False otherwise
-        """
-        try:
-            if not self.allowed_roles:
-                return True
-            if not roles:
-                return False
-            # Check if any of the client roles match allowed roles
-            for client_role in roles:
-                for allowed_role in self.allowed_roles:
-                    if self.role_utils.compare_roles(client_role, allowed_role):
-                        return True
-            return False
-        except Exception as e:
-            logger.error(f"Failed to validate access: {e}")
-            return False
-    def _get_common_name(self, cert: x509.Certificate) -> str:
-        """
-        Get common name from certificate.
-        Args:
-            cert: Certificate object
-        Returns:
-            Common name or empty string if not found
-        """
-        try:
-            for name_attribute in cert.subject:
-                if name_attribute.oid == x509.NameOID.COMMON_NAME:
-                    return str(name_attribute.value)
-            return ""
-        except Exception as e:
-            logger.error(f"Failed to get common name: {e}")
-            return ""
-    async def handle_error(self, request: Request, exception: Exception) -> Response:
-        """
-        Handle mTLS authentication errors.
-        Args:
-            request: FastAPI request object
-            exception: Exception that occurred
-        Returns:
-            Error response
-        """
-        from fastapi.responses import JSONResponse
-        error_message = str(exception)
-        if "certificate is required" in error_message.lower():
-            status_code = 401
-            error_code = -32009  # Certificate not found
-        elif "validation failed" in error_message.lower():
-            status_code = 401
-            error_code = -32003  # Certificate validation failed
-        elif "access denied" in error_message.lower():
-            status_code = 403
-            error_code = -32007  # Role validation failed
-        else:
-            status_code = 500
-            error_code = -32603  # Internal error
-        return JSONResponse(
-            status_code=status_code,
-            content={
-                "jsonrpc": "2.0",
-                "error": {
-                    "code": error_code,
-                    "message": error_message,
-                    "data": {
-                        "validation_type": "mtls",
-                        "request_id": getattr(request.state, 'request_id', None)
-                    }
-                },
-                "id": None
-            }
-        )

mcp_proxy_adapter/api/middleware/rate_limit.py DELETED Viewed

@@ -1,152 +0,0 @@
-"""
-Middleware for rate limiting.
-"""
-import time
-from typing import Dict, List, Callable, Awaitable
-from collections import defaultdict
-from fastapi import Request, Response
-from starlette.responses import JSONResponse
-from mcp_proxy_adapter.core.logging import logger
-from .base import BaseMiddleware
-class RateLimitMiddleware(BaseMiddleware):
-    """
-    Middleware for limiting request rate.
-    """
-    def __init__(self, app, rate_limit: int = 100, time_window: int = 60,
-                 by_ip: bool = True, by_user: bool = True,
-                 public_paths: List[str] = None):
-        """
-        Initializes middleware for rate limiting.
-        Args:
-            app: FastAPI application
-            rate_limit: Maximum number of requests in the specified time period
-            time_window: Time period in seconds
-            by_ip: Limit requests by IP address
-            by_user: Limit requests by user
-            public_paths: List of paths for which rate limiting is not applied
-        """
-        super().__init__(app)
-        self.rate_limit = rate_limit
-        self.time_window = time_window
-        self.by_ip = by_ip
-        self.by_user = by_user
-        self.public_paths = public_paths or [
-            "/docs",
-            "/redoc",
-            "/openapi.json",
-            "/health"
-        ]
-        # Storage for requests by IP
-        self.ip_requests = defaultdict(list)
-        # Storage for requests by user
-        self.user_requests = defaultdict(list)
-    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
-        """
-        Processes request and checks rate limit.
-        Args:
-            request: Request.
-            call_next: Next handler.
-        Returns:
-            Response.
-        """
-        # Check if path is public
-        path = request.url.path
-        if self._is_public_path(path):
-            # If path is public, skip rate limiting
-            return await call_next(request)
-        # Current time
-        current_time = time.time()
-        # Get client IP address
-        client_ip = request.client.host if request.client else "unknown"
-        # Get user from request state (if any)
-        username = getattr(request.state, "username", None)
-        # Check limit by IP
-        if self.by_ip and client_ip != "unknown":
-            # Clean old requests
-            self._clean_old_requests(self.ip_requests[client_ip], current_time)
-            # Check number of requests
-            if len(self.ip_requests[client_ip]) >= self.rate_limit:
-                logger.warning(f"Rate limit exceeded for IP: {client_ip} | Path: {path}")
-                return self._create_error_response("Rate limit exceeded", 429)
-            # Add current request
-            self.ip_requests[client_ip].append(current_time)
-        # Check limit by user
-        if self.by_user and username:
-            # Clean old requests
-            self._clean_old_requests(self.user_requests[username], current_time)
-            # Check number of requests
-            if len(self.user_requests[username]) >= self.rate_limit:
-                logger.warning(f"Rate limit exceeded for user: {username} | Path: {path}")
-                return self._create_error_response("Rate limit exceeded", 429)
-            # Add current request
-            self.user_requests[username].append(current_time)
-        # Call the next middleware or main handler
-        return await call_next(request)
-    def _clean_old_requests(self, requests: List[float], current_time: float) -> None:
-        """
-        Cleans old requests that are outside the time window.
-        Args:
-            requests: List of request timestamps.
-            current_time: Current time.
-        """
-        min_time = current_time - self.time_window
-        while requests and requests[0] < min_time:
-            requests.pop(0)
-    def _is_public_path(self, path: str) -> bool:
-        """
-        Checks if the path is public.
-        Args:
-            path: Path to check.
-        Returns:
-            True if path is public, False otherwise.
-        """
-        return any(path.startswith(public_path) for public_path in self.public_paths)
-    def _create_error_response(self, message: str, status_code: int) -> Response:
-        """
-        Creates error response in JSON-RPC format.
-        Args:
-            message: Error message.
-            status_code: HTTP status code.
-        Returns:
-            JSON response with error.
-        """
-        return JSONResponse(
-            status_code=status_code,
-            content={
-                "jsonrpc": "2.0",
-                "error": {
-                    "code": -32000,
-                    "message": message
-                },
-                "id": None
-            }
-        )

mcp_proxy_adapter/api/middleware/rate_limit_adapter.py DELETED Viewed

@@ -1,241 +0,0 @@
-"""
-Rate Limit Middleware Adapter for backward compatibility.
-This module provides an adapter that maintains the same interface as RateLimitMiddleware
-while using the new SecurityMiddleware internally.
-"""
-import time
-from typing import Dict, List, Callable, Awaitable, Any
-from collections import defaultdict
-from fastapi import Request, Response
-from starlette.responses import JSONResponse
-from mcp_proxy_adapter.core.logging import logger
-from .base import BaseMiddleware
-from .security import SecurityMiddleware
-class RateLimitMiddlewareAdapter(BaseMiddleware):
-    """
-    Adapter for RateLimitMiddleware that uses SecurityMiddleware internally.
-    Maintains the same interface as the original RateLimitMiddleware for backward compatibility.
-    """
-    def __init__(self, app, rate_limit: int = 100, time_window: int = 60,
-                 by_ip: bool = True, by_user: bool = True,
-                 public_paths: List[str] = None):
-        """
-        Initialize rate limit middleware adapter.
-        Args:
-            app: FastAPI application
-            rate_limit: Maximum number of requests in the specified time period
-            time_window: Time period in seconds
-            by_ip: Limit requests by IP address
-            by_user: Limit requests by user
-            public_paths: List of paths for which rate limiting is not applied
-        """
-        super().__init__(app)
-        # Store original parameters for backward compatibility
-        self.rate_limit = rate_limit
-        self.time_window = time_window
-        self.by_ip = by_ip
-        self.by_user = by_user
-        self.public_paths = public_paths or [
-            "/docs",
-            "/redoc",
-            "/openapi.json",
-            "/health"
-        ]
-        # Legacy storage for backward compatibility
-        self.ip_requests = defaultdict(list)
-        self.user_requests = defaultdict(list)
-        # Create internal security middleware
-        self.security_middleware = self._create_security_middleware()
-        logger.info(f"RateLimitMiddlewareAdapter initialized: rate_limit={rate_limit}, "
-                   f"time_window={time_window}, by_ip={by_ip}, by_user={by_user}")
-    def _create_security_middleware(self) -> SecurityMiddleware:
-        """
-        Create internal SecurityMiddleware with RateLimitMiddleware configuration.
-        Returns:
-            SecurityMiddleware instance
-        """
-        # Convert RateLimitMiddleware config to SecurityMiddleware config
-        security_config = {
-            "security": {
-                "enabled": True,
-                "auth": {
-                    "enabled": False
-                },
-                "ssl": {
-                    "enabled": False
-                },
-                "permissions": {
-                    "enabled": False
-                },
-                "rate_limit": {
-                    "enabled": True,
-                    "requests_per_minute": self.rate_limit,
-                    "requests_per_hour": self.rate_limit * 60,
-                    "burst_limit": self.rate_limit // 10,
-                    "by_ip": self.by_ip,
-                    "by_user": self.by_user
-                },
-                "public_paths": self.public_paths
-            }
-        }
-        return SecurityMiddleware(self.app, security_config)
-    async def dispatch(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
-        """
-        Process request using internal SecurityMiddleware with legacy fallback.
-        Args:
-            request: Request object
-            call_next: Next handler
-        Returns:
-            Response object
-        """
-        # Check if path is public
-        path = request.url.path
-        if self._is_public_path(path):
-            return await call_next(request)
-        # Try to use SecurityMiddleware first
-        try:
-            await self.security_middleware.before_request(request)
-            return await call_next(request)
-        except Exception as e:
-            # Fallback to legacy rate limiting if SecurityMiddleware fails
-            logger.warning(f"SecurityMiddleware rate limiting failed, using legacy fallback: {e}")
-            return await self._legacy_rate_limit_check(request, call_next)
-    async def _legacy_rate_limit_check(self, request: Request, call_next: Callable[[Request], Awaitable[Response]]) -> Response:
-        """
-        Legacy rate limiting implementation as fallback.
-        Args:
-            request: Request object
-            call_next: Next handler
-        Returns:
-            Response object
-        """
-        current_time = time.time()
-        client_ip = request.client.host if request.client else "unknown"
-        username = getattr(request.state, "username", None)
-        # Check limit by IP
-        if self.by_ip and client_ip != "unknown":
-            self._clean_old_requests(self.ip_requests[client_ip], current_time)
-            if len(self.ip_requests[client_ip]) >= self.rate_limit:
-                logger.warning(f"Rate limit exceeded for IP: {client_ip}")
-                return self._create_error_response("Rate limit exceeded", 429)
-            self.ip_requests[client_ip].append(current_time)
-        # Check limit by user
-        if self.by_user and username:
-            self._clean_old_requests(self.user_requests[username], current_time)
-            if len(self.user_requests[username]) >= self.rate_limit:
-                logger.warning(f"Rate limit exceeded for user: {username}")
-                return self._create_error_response("Rate limit exceeded", 429)
-            self.user_requests[username].append(current_time)
-        return await call_next(request)
-    def _clean_old_requests(self, requests_list: List[float], current_time: float) -> None:
-        """
-        Remove old requests from the list.
-        Args:
-            requests_list: List of request timestamps
-            current_time: Current time
-        """
-        cutoff_time = current_time - self.time_window
-        requests_list[:] = [req_time for req_time in requests_list if req_time > cutoff_time]
-    def _is_public_path(self, path: str) -> bool:
-        """
-        Check if the path is public (doesn't require rate limiting).
-        Args:
-            path: Request path
-        Returns:
-            True if path is public, False otherwise
-        """
-        return any(path.startswith(public_path) for public_path in self.public_paths)
-    def _create_error_response(self, message: str, status_code: int) -> JSONResponse:
-        """
-        Create error response in RateLimitMiddleware format.
-        Args:
-            message: Error message
-            status_code: HTTP status code
-        Returns:
-            JSONResponse with error
-        """
-        return JSONResponse(
-            status_code=status_code,
-            content={
-                "jsonrpc": "2.0",
-                "error": {
-                    "code": -32008 if status_code == 429 else -32603,
-                    "message": message,
-                    "data": {
-                        "rate_limit": self.rate_limit,
-                        "time_window": self.time_window,
-                        "status_code": status_code
-                    }
-                },
-                "id": None
-            }
-        )
-    def get_rate_limit_info(self, request: Request) -> Dict[str, Any]:
-        """
-        Get rate limit information for the request (backward compatibility).
-        Args:
-            request: Request object
-        Returns:
-            Dictionary with rate limit information
-        """
-        client_ip = request.client.host if request.client else "unknown"
-        username = getattr(request.state, "username", None)
-        info = {
-            "rate_limit": self.rate_limit,
-            "time_window": self.time_window,
-            "by_ip": self.by_ip,
-            "by_user": self.by_user
-        }
-        if self.by_ip and client_ip != "unknown":
-            info["ip_requests"] = len(self.ip_requests[client_ip])
-            info["ip_remaining"] = max(0, self.rate_limit - len(self.ip_requests[client_ip]))
-        if self.by_user and username:
-            info["user_requests"] = len(self.user_requests[username])
-            info["user_remaining"] = max(0, self.rate_limit - len(self.user_requests[username]))
-        return info

mcp-proxy-adapter 6.0.0__py3-none-any.whl → 6.1.0__py3-none-any.whl

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.1.0py3-none-any.whl