PyPI - mcp-proxy-adapter - Versions diffs - 6.0.0__py3-none-any.whl → 6.1.0__py3-none-any.whl - Mend

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.1.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (259) hide show

mcp_proxy_adapter/core/client_security.py ADDED Viewed

@@ -0,0 +1,384 @@
+"""
+Client Security Module
+This module provides client-side security integration for MCP Proxy Adapter,
+using mcp_security_framework utilities for secure connections to servers.
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+import logging
+import ssl
+from typing import Dict, Any, Optional, List, Tuple
+from pathlib import Path
+# Import framework utilities
+try:
+    from mcp_security_framework.utils.crypto_utils import (
+        generate_api_key, create_jwt_token, verify_jwt_token
+    )
+    from mcp_security_framework.utils.cert_utils import (
+        parse_certificate, extract_roles_from_certificate,
+        validate_certificate_chain, validate_certificate_format
+    )
+    from mcp_security_framework.core.ssl_manager import SSLManager
+    from mcp_security_framework.schemas.config import SSLConfig, AuthConfig
+    from mcp_security_framework.schemas.models import AuthResult, ValidationResult
+    SECURITY_FRAMEWORK_AVAILABLE = True
+except ImportError:
+    SECURITY_FRAMEWORK_AVAILABLE = False
+    SSLManager = None
+    SSLConfig = None
+    AuthConfig = None
+    AuthResult = None
+    ValidationResult = None
+from mcp_proxy_adapter.core.logging import logger
+class ClientSecurityManager:
+    """
+    Client-side security manager for MCP Proxy Adapter.
+    Provides secure client connections using mcp_security_framework utilities.
+    Handles authentication, certificate management, and SSL/TLS for client connections.
+    """
+    def __init__(self, config: Dict[str, Any]):
+        """
+        Initialize client security manager.
+        Args:
+            config: Security configuration
+        """
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            raise ImportError("mcp_security_framework is not available")
+        self.config = config
+        self.security_config = config.get("security", {})
+        # Initialize SSL manager if needed
+        self.ssl_manager = None
+        if self.security_config.get("ssl", {}).get("enabled", False):
+            ssl_config = self._create_ssl_config()
+            self.ssl_manager = SSLManager(ssl_config)
+        logger.info("Client security manager initialized")
+    def _create_ssl_config(self) -> SSLConfig:
+        """Create SSL configuration for client connections."""
+        ssl_section = self.security_config.get("ssl", {})
+        return SSLConfig(
+            enabled=ssl_section.get("enabled", False),
+            cert_file=ssl_section.get("client_cert_file"),
+            key_file=ssl_section.get("client_key_file"),
+            ca_cert_file=ssl_section.get("ca_cert_file"),
+            verify_mode=ssl_section.get("verify_mode", "CERT_REQUIRED"),
+            min_tls_version=ssl_section.get("min_tls_version", "TLSv1.2"),
+            check_hostname=ssl_section.get("check_hostname", True),
+            check_expiry=ssl_section.get("check_expiry", True)
+        )
+    def create_client_ssl_context(self, server_hostname: Optional[str] = None) -> Optional[ssl.SSLContext]:
+        """
+        Create SSL context for client connections.
+        Args:
+            server_hostname: Server hostname for SNI
+        Returns:
+            SSL context or None if SSL not enabled
+        """
+        if not self.ssl_manager:
+            return None
+        try:
+            # Create client SSL context
+            context = self.ssl_manager.create_client_context()
+            if server_hostname:
+                # Set server hostname for SNI
+                context.check_hostname = True
+                context.verify_mode = ssl.CERT_REQUIRED
+            logger.info(f"Client SSL context created for {server_hostname or 'unknown server'}")
+            return context
+        except Exception as e:
+            logger.error(f"Failed to create client SSL context: {e}")
+            return None
+    def generate_client_api_key(self, user_id: str, prefix: str = "mcp_proxy") -> str:
+        """
+        Generate API key for client authentication.
+        Args:
+            user_id: User identifier
+            prefix: Key prefix
+        Returns:
+            Generated API key
+        """
+        try:
+            api_key = generate_api_key(prefix=prefix)
+            logger.info(f"Generated API key for user: {user_id}")
+            return api_key
+        except Exception as e:
+            logger.error(f"Failed to generate API key: {e}")
+            raise
+    def create_client_jwt_token(self, user_id: str, roles: List[str],
+                               secret: str, algorithm: str = "HS256",
+                               expiry_hours: int = 24) -> str:
+        """
+        Create JWT token for client authentication.
+        Args:
+            user_id: User identifier
+            roles: User roles
+            secret: JWT secret
+            algorithm: JWT algorithm
+            expiry_hours: Token expiry in hours
+        Returns:
+            JWT token
+        """
+        try:
+            payload = {
+                "user_id": user_id,
+                "roles": roles,
+                "type": "client_proxy"
+            }
+            token = create_jwt_token(
+                payload=payload,
+                secret=secret,
+                algorithm=algorithm,
+                expiry_hours=expiry_hours
+            )
+            logger.info(f"Created JWT token for user: {user_id}")
+            return token
+        except Exception as e:
+            logger.error(f"Failed to create JWT token: {e}")
+            raise
+    def validate_server_certificate(self, cert_path: str, ca_cert_path: Optional[str] = None) -> bool:
+        """
+        Validate server certificate before connection.
+        Args:
+            cert_path: Path to server certificate
+            ca_cert_path: Path to CA certificate
+        Returns:
+            True if certificate is valid
+        """
+        try:
+            # Validate certificate format
+            if not validate_certificate_format(cert_path):
+                logger.error(f"Invalid certificate format: {cert_path}")
+                return False
+            # Validate certificate chain if CA provided
+            if ca_cert_path:
+                if not validate_certificate_chain(cert_path, ca_cert_path):
+                    logger.error(f"Invalid certificate chain: {cert_path}")
+                    return False
+            # Parse certificate and check basic properties
+            cert_info = parse_certificate(cert_path)
+            if not cert_info:
+                logger.error(f"Failed to parse certificate: {cert_path}")
+                return False
+            logger.info(f"Server certificate validated: {cert_path}")
+            return True
+        except Exception as e:
+            logger.error(f"Failed to validate server certificate: {e}")
+            return False
+    def extract_server_roles(self, cert_path: str) -> List[str]:
+        """
+        Extract roles from server certificate.
+        Args:
+            cert_path: Path to server certificate
+        Returns:
+            List of roles extracted from certificate
+        """
+        try:
+            roles = extract_roles_from_certificate(cert_path)
+            logger.info(f"Extracted roles from server certificate: {roles}")
+            return roles
+        except Exception as e:
+            logger.error(f"Failed to extract roles from certificate: {e}")
+            return []
+    def get_client_auth_headers(self, auth_method: str = "api_key", **kwargs) -> Dict[str, str]:
+        """
+        Get authentication headers for client requests.
+        Args:
+            auth_method: Authentication method (api_key, jwt, certificate)
+            **kwargs: Additional parameters
+        Returns:
+            Dictionary of authentication headers
+        """
+        headers = {}
+        try:
+            if auth_method == "api_key":
+                api_key = kwargs.get("api_key")
+                if api_key:
+                    headers["X-API-Key"] = api_key
+                    headers["Authorization"] = f"Bearer {api_key}"
+            elif auth_method == "jwt":
+                token = kwargs.get("token")
+                if token:
+                    headers["Authorization"] = f"Bearer {token}"
+            elif auth_method == "certificate":
+                # Certificate authentication is handled at SSL level
+                headers["X-Auth-Method"] = "certificate"
+            # Add common proxy headers
+            headers["X-Proxy-Type"] = "mcp_proxy_adapter"
+            headers["X-Client-Type"] = "proxy_client"
+            logger.debug(f"Created auth headers for method: {auth_method}")
+            return headers
+        except Exception as e:
+            logger.error(f"Failed to create auth headers: {e}")
+            return {}
+    def prepare_client_connection(self, server_config: Dict[str, Any]) -> Tuple[Optional[ssl.SSLContext], Dict[str, str]]:
+        """
+        Prepare secure client connection to server.
+        Args:
+            server_config: Server connection configuration
+        Returns:
+            Tuple of (SSL context, auth headers)
+        """
+        ssl_context = None
+        auth_headers = {}
+        try:
+            # Create SSL context if needed
+            if server_config.get("ssl", False):
+                server_hostname = server_config.get("hostname")
+                ssl_context = self.create_client_ssl_context(server_hostname)
+            # Create authentication headers
+            auth_method = server_config.get("auth_method", "api_key")
+            auth_headers = self.get_client_auth_headers(
+                auth_method=auth_method,
+                api_key=server_config.get("api_key"),
+                token=server_config.get("token")
+            )
+            logger.info(f"Prepared client connection for {server_config.get('hostname', 'unknown')}")
+            return ssl_context, auth_headers
+        except Exception as e:
+            logger.error(f"Failed to prepare client connection: {e}")
+            return None, {}
+    def validate_server_response(self, response_headers: Dict[str, str]) -> bool:
+        """
+        Validate server response for security compliance.
+        Args:
+            response_headers: Server response headers
+        Returns:
+            True if response is valid
+        """
+        try:
+            # Check for required security headers
+            required_headers = ["Content-Type"]
+            for header in required_headers:
+                if header not in response_headers:
+                    logger.warning(f"Missing required header: {header}")
+            # Check for security headers
+            security_headers = ["X-Frame-Options", "X-Content-Type-Options"]
+            for header in security_headers:
+                if header in response_headers:
+                    logger.debug(f"Found security header: {header}")
+            # Validate content type
+            content_type = response_headers.get("Content-Type", "")
+            if "application/json" not in content_type:
+                logger.warning(f"Unexpected content type: {content_type}")
+            return True
+        except Exception as e:
+            logger.error(f"Failed to validate server response: {e}")
+            return False
+    def get_client_certificate_info(self) -> Optional[Dict[str, Any]]:
+        """
+        Get information about client certificate.
+        Returns:
+            Certificate information or None
+        """
+        try:
+            ssl_config = self.security_config.get("ssl", {})
+            cert_path = ssl_config.get("client_cert_file")
+            if not cert_path or not Path(cert_path).exists():
+                return None
+            cert_info = parse_certificate(cert_path)
+            if cert_info:
+                roles = extract_roles_from_certificate(cert_path)
+                cert_info["roles"] = roles
+                return cert_info
+            return None
+        except Exception as e:
+            logger.error(f"Failed to get client certificate info: {e}")
+            return None
+    def is_ssl_enabled(self) -> bool:
+        """Check if SSL is enabled for client connections."""
+        return self.security_config.get("ssl", {}).get("enabled", False)
+    def get_supported_auth_methods(self) -> List[str]:
+        """Get list of supported authentication methods."""
+        return ["api_key", "jwt", "certificate"]
+# Factory function for easy integration
+def create_client_security_manager(config: Dict[str, Any]) -> Optional[ClientSecurityManager]:
+    """
+    Create client security manager instance.
+    Args:
+        config: Configuration dictionary
+    Returns:
+        ClientSecurityManager instance or None if framework not available
+    """
+    try:
+        return ClientSecurityManager(config)
+    except ImportError:
+        logger.warning("mcp_security_framework not available, client security disabled")
+        return None
+    except Exception as e:
+        logger.error(f"Failed to create client security manager: {e}")
+        return None

mcp_proxy_adapter/core/logging.py CHANGED Viewed

@@ -230,17 +230,22 @@ def setup_logging(
     return logger
-def _parse_file_size(size_str: str) -> int:
+def _parse_file_size(size_str) -> int:
     """
     Parse file size string to bytes.
     Args:
-        size_str: Size string (e.g., "10MB", "1GB", "100KB")
+        size_str: Size string (e.g., "10MB", "1GB", "100KB") or int
     Returns:
         Size in bytes
     """
-    size_str = size_str.upper()
+    # If it's already an int, return it
+    if isinstance(size_str, int):
+        return size_str
+    # Convert to string and parse
+    size_str = str(size_str).upper()
     if size_str.endswith("KB"):
         return int(size_str[:-2]) * 1024
     elif size_str.endswith("MB"):

mcp_proxy_adapter/core/mtls_asgi.py ADDED Viewed

@@ -0,0 +1,156 @@
+"""
+Custom ASGI application for mTLS support.
+This module provides a custom ASGI application that properly handles
+client certificates in mTLS connections.
+"""
+import ssl
+import logging
+from typing import Dict, Any, Optional
+from starlette.applications import Starlette
+from starlette.requests import Request
+from starlette.responses import Response
+from starlette.types import ASGIApp, Receive, Send, Scope
+logger = logging.getLogger(__name__)
+class MTLSASGIApp:
+    """
+    Custom ASGI application that properly handles mTLS client certificates.
+    This wrapper ensures that client certificates are properly extracted
+    and made available to the FastAPI application.
+    """
+    def __init__(self, app: ASGIApp, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI application.
+        Args:
+            app: The underlying ASGI application (FastAPI)
+            ssl_config: SSL configuration for mTLS
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.verify_client = ssl_config.get("verify_client", False)
+        self.client_cert_required = ssl_config.get("client_cert_required", False)
+        logger.info(f"MTLS ASGI app initialized: verify_client={self.verify_client}, "
+                   f"client_cert_required={self.client_cert_required}")
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """
+        Handle ASGI request with mTLS support.
+        Args:
+            scope: ASGI scope
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    logger.debug(f"Client certificate extracted: {client_cert.get('subject', {})}")
+                elif self.client_cert_required:
+                    logger.warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+            # Call the underlying application
+            await self.app(scope, receive, send)
+        except Exception as e:
+            logger.error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+    def _extract_client_certificate(self, scope: Scope) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+        Args:
+            scope: ASGI scope
+        Returns:
+            Client certificate data or None
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                return None
+            # Get peer certificate
+            cert = ssl_context.getpeercert()
+            if cert:
+                return cert
+            return None
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    async def _send_unauthorized_response(self, send: Send) -> None:
+        """
+        Send 401 Unauthorized response.
+        Args:
+            send: ASGI send callable
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"163"),
+            ],
+        }
+        await send(response)
+        body = b'{"jsonrpc": "2.0", "error": {"code": -32001, "message": "Unauthorized: Client certificate required"}, "id": null}'
+        await send({"type": "http.response.body", "body": body})
+    async def _send_error_response(self, send: Send, error_message: str) -> None:
+        """
+        Send error response.
+        Args:
+            send: ASGI send callable
+            error_message: Error message
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+            ],
+        }
+        await send(response)
+        body = f'{{"jsonrpc": "2.0", "error": {{"code": -32603, "message": "Internal error: {error_message}"}}, "id": null}}'.encode()
+        await send({"type": "http.response.body", "body": body})
+def create_mtls_asgi_app(app: ASGIApp, ssl_config: Dict[str, Any]) -> ASGIApp:
+    """
+    Create MTLS-enabled ASGI application.
+    Args:
+        app: The underlying ASGI application (FastAPI)
+        ssl_config: SSL configuration for mTLS
+    Returns:
+        MTLS-enabled ASGI application
+    """
+    if ssl_config.get("mode") == "mtls" or ssl_config.get("verify_client", False):
+        logger.info("Creating MTLS-enabled ASGI application")
+        return MTLSASGIApp(app, ssl_config)
+    else:
+        logger.info("Creating standard ASGI application (no mTLS)")
+        return app

mcp-proxy-adapter 6.0.0__py3-none-any.whl → 6.1.0__py3-none-any.whl

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.1.0py3-none-any.whl