PyPI - mcp-proxy-adapter - Versions diffs - 6.0.0__py3-none-any.whl → 6.1.1__py3-none-any.whl - Mend

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (264) hide show

mcp_proxy_adapter/core/mtls_asgi_app.py ADDED Viewed

@@ -0,0 +1,187 @@
+"""
+MTLS ASGI Application Wrapper
+This module provides an ASGI application wrapper that extracts client certificates
+from the SSL context and makes them available to FastAPI middleware.
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+Version: 1.0.0
+"""
+import logging
+import ssl
+from typing import Dict, Any, Optional
+from cryptography import x509
+logger = logging.getLogger(__name__)
+class MTLSASGIApp:
+    """
+    ASGI application wrapper for mTLS support.
+    Extracts client certificates from SSL context and stores them in ASGI scope
+    for access by FastAPI middleware.
+    """
+    def __init__(self, app, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI app.
+        Args:
+            app: The underlying ASGI application
+            ssl_config: SSL configuration dictionary
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.client_cert_required = ssl_config.get("client_cert_required", True)
+        logger.info(f"MTLS ASGI app initialized: client_cert_required={self.client_cert_required}")
+    async def __call__(self, scope: Dict[str, Any], receive, send):
+        """
+        Handle ASGI request with mTLS support.
+        Args:
+            scope: ASGI scope dictionary
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    logger.debug(f"Client certificate extracted: {client_cert.get('subject', {})}")
+                elif self.client_cert_required:
+                    logger.warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+            # Call the underlying application
+            await self.app(scope, receive, send)
+        except Exception as e:
+            logger.error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+    def _extract_client_certificate(self, scope: Dict[str, Any]) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+        Args:
+            scope: ASGI scope dictionary
+        Returns:
+            Certificate dictionary or None if not found
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                logger.debug("No SSL context found in scope")
+                return None
+            # Try to get peer certificate
+            if hasattr(ssl_context, 'getpeercert'):
+                cert_data = ssl_context.getpeercert(binary_form=True)
+                if cert_data:
+                    # Parse certificate
+                    cert = x509.load_der_x509_certificate(cert_data)
+                    return self._cert_to_dict(cert)
+                else:
+                    logger.debug("No certificate data in SSL context")
+                    return None
+            else:
+                logger.debug("SSL context has no getpeercert method")
+                return None
+        except Exception as e:
+            logger.error(f"Failed to extract client certificate: {e}")
+            return None
+    def _cert_to_dict(self, cert: x509.Certificate) -> Dict[str, Any]:
+        """
+        Convert x509 certificate to dictionary.
+        Args:
+            cert: x509 certificate object
+        Returns:
+            Certificate dictionary
+        """
+        try:
+            # Extract subject
+            subject = {}
+            for name in cert.subject:
+                subject[name.oid._name] = name.value
+            # Extract issuer
+            issuer = {}
+            for name in cert.issuer:
+                issuer[name.oid._name] = name.value
+            return {
+                "subject": subject,
+                "issuer": issuer,
+                "serial_number": str(cert.serial_number),
+                "not_valid_before": cert.not_valid_before.isoformat(),
+                "not_valid_after": cert.not_valid_after.isoformat(),
+                "version": cert.version.value,
+                "signature_algorithm_oid": cert.signature_algorithm_oid._name,
+                "public_key": {
+                    "key_size": cert.public_key().key_size if hasattr(cert.public_key(), 'key_size') else None,
+                    "public_numbers": str(cert.public_key().public_numbers()) if hasattr(cert.public_key(), 'public_numbers') else None
+                }
+            }
+        except Exception as e:
+            logger.error(f"Failed to convert certificate to dict: {e}")
+            return {"error": str(e)}
+    async def _send_unauthorized_response(self, send):
+        """Send 401 Unauthorized response."""
+        await send({
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"0")
+            ]
+        })
+        await send({
+            "type": "http.response.body",
+            "body": b""
+        })
+    async def _send_error_response(self, send, error_message: str):
+        """Send error response."""
+        body = f'{{"error": "{error_message}"}}'.encode('utf-8')
+        await send({
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", str(len(body)).encode())
+            ]
+        })
+        await send({
+            "type": "http.response.body",
+            "body": body
+        })
+def create_mtls_asgi_app(app, ssl_config: Dict[str, Any]):
+    """
+    Create MTLS ASGI application wrapper.
+    Args:
+        app: The underlying ASGI application
+        ssl_config: SSL configuration dictionary
+    Returns:
+        MTLS ASGI app wrapper
+    """
+    return MTLSASGIApp(app, ssl_config)

mcp_proxy_adapter/core/protocol_manager.py CHANGED Viewed

@@ -21,11 +21,85 @@ class ProtocolManager:
     ensuring that only configured protocols are accessible.
     """
-    def __init__(self):
-        """Initialize the protocol manager."""
-        self.protocols_config = config.get("protocols", {})
+    def __init__(self, app_config: Optional[Dict] = None):
+        """
+        Initialize the protocol manager.
+        Args:
+            app_config: Application configuration dictionary (optional)
+        """
+        self.app_config = app_config
+        self._load_config()
+    def _load_config(self):
+        """Load protocol configuration from config."""
+        # Use provided config or fallback to global config
+        current_config = self.app_config if self.app_config is not None else config.get_all()
+        # Get protocols configuration
+        self.protocols_config = current_config.get("protocols", {})
         self.enabled = self.protocols_config.get("enabled", True)
-        self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http"])
+        # Get SSL configuration to determine allowed protocols
+        ssl_enabled = self._is_ssl_enabled(current_config)
+        # Set allowed protocols based on SSL configuration
+        if ssl_enabled:
+            # If SSL is enabled, allow both HTTP and HTTPS
+            self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http", "https"])
+            # Ensure HTTPS is in allowed protocols if SSL is enabled
+            if "https" not in self.allowed_protocols:
+                self.allowed_protocols.append("https")
+        else:
+            # If SSL is disabled, only allow HTTP
+            self.allowed_protocols = self.protocols_config.get("allowed_protocols", ["http"])
+            # Remove HTTPS from allowed protocols if SSL is disabled
+            if "https" in self.allowed_protocols:
+                self.allowed_protocols.remove("https")
+        logger.debug(f"Protocol manager loaded config: enabled={self.enabled}, allowed_protocols={self.allowed_protocols}, ssl_enabled={ssl_enabled}")
+    def _is_ssl_enabled(self, current_config: Dict) -> bool:
+        """
+        Check if SSL is enabled in configuration.
+        Args:
+            current_config: Current configuration dictionary
+        Returns:
+            True if SSL is enabled, False otherwise
+        """
+        # Try security framework SSL config first
+        security_config = current_config.get("security", {})
+        ssl_config = security_config.get("ssl", {})
+        if ssl_config.get("enabled", False):
+            logger.debug("SSL enabled via security.ssl configuration")
+            return True
+        # Fallback to legacy SSL config
+        legacy_ssl_config = current_config.get("ssl", {})
+        if legacy_ssl_config.get("enabled", False):
+            logger.debug("SSL enabled via legacy ssl configuration")
+            return True
+        logger.debug("SSL is disabled in configuration")
+        return False
+    def update_config(self, new_config: Dict):
+        """
+        Update configuration and reload protocol settings.
+        Args:
+            new_config: New configuration dictionary
+        """
+        self.app_config = new_config
+        self._load_config()
+        logger.info(f"Protocol manager configuration updated: allowed_protocols={self.allowed_protocols}")
+    def reload_config(self):
+        """Reload protocol configuration from global config."""
+        self._load_config()
     def is_protocol_allowed(self, protocol: str) -> bool:
         """
@@ -128,7 +202,11 @@ class ProtocolManager:
         if protocol.lower() not in ["https", "mtls"]:
             return None
-        ssl_config = config.get("ssl", {})
+        # Use provided config or fallback to global config
+        current_config = self.app_config if self.app_config is not None else config.get_all()
+        # Get SSL configuration
+        ssl_config = self._get_ssl_config(current_config)
         if not ssl_config.get("enabled", False):
             logger.warning(f"SSL required for protocol '{protocol}' but SSL is disabled")
@@ -161,6 +239,33 @@ class ProtocolManager:
             logger.error(f"Failed to create SSL context for protocol '{protocol}': {e}")
             return None
+    def _get_ssl_config(self, current_config: Dict) -> Dict:
+        """
+        Get SSL configuration from config.
+        Args:
+            current_config: Current configuration dictionary
+        Returns:
+            SSL configuration dictionary
+        """
+        # Try security framework SSL config first
+        security_config = current_config.get("security", {})
+        ssl_config = security_config.get("ssl", {})
+        if ssl_config.get("enabled", False):
+            logger.debug("Using security.ssl configuration")
+            return ssl_config
+        # Fallback to legacy SSL config
+        legacy_ssl_config = current_config.get("ssl", {})
+        if legacy_ssl_config.get("enabled", False):
+            logger.debug("Using legacy ssl configuration")
+            return legacy_ssl_config
+        # Return empty config if SSL is disabled
+        return {"enabled": False}
     def get_protocol_info(self) -> Dict[str, Dict]:
         """
         Get information about all configured protocols.
@@ -213,7 +318,10 @@ class ProtocolManager:
             # Check SSL requirements
             if protocol in ["https", "mtls"]:
-                ssl_config = config.get("ssl", {})
+                # Use provided config or fallback to global config
+                current_config = self.app_config if self.app_config is not None else config.get_all()
+                ssl_config = self._get_ssl_config(current_config)
                 if not ssl_config.get("enabled", False):
                     errors.append(f"Protocol '{protocol}' requires SSL but SSL is disabled")
                 elif not ssl_config.get("cert_file") or not ssl_config.get("key_file"):
@@ -222,5 +330,28 @@ class ProtocolManager:
         return errors
-# Global protocol manager instance
-protocol_manager = ProtocolManager()
+# Global protocol manager instance - will be updated with config when needed
+protocol_manager = None
+def get_protocol_manager(app_config: Optional[Dict] = None) -> ProtocolManager:
+    """
+    Get protocol manager instance with current configuration.
+    Args:
+        app_config: Application configuration dictionary (optional)
+    Returns:
+        ProtocolManager instance
+    """
+    global protocol_manager
+    # If no app_config provided, use global config
+    if app_config is None:
+        app_config = config.get_all()
+    # Create new instance if none exists or config changed
+    if protocol_manager is None or protocol_manager.app_config != app_config:
+        protocol_manager = ProtocolManager(app_config)
+        logger.info("Protocol manager created with new configuration")
+    return protocol_manager

mcp-proxy-adapter 6.0.0__py3-none-any.whl → 6.1.1__py3-none-any.whl

mcp-proxy-adapter 6.0.0py3-none-any.whl → 6.1.1py3-none-any.whl