PyPI - mcp-proxy-adapter - Versions diffs - 6.1.0__py3-none-any.whl → 6.2.0__py3-none-any.whl - Mend

mcp-proxy-adapter 6.1.0py3-none-any.whl → 6.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (148) hide show

mcp_proxy_adapter/core/certificate_utils.py CHANGED Viewed

@@ -2,8 +2,7 @@
 Certificate Utilities
 This module provides utilities for working with certificates including creation,
-validation, and role extraction. Integrates with AuthValidator and RoleUtils
-from previous phases.
+validation, and role extraction. Integrates with mcp_security_framework.
 Author: MCP Proxy Adapter Team
 Version: 1.0.0
@@ -16,10 +15,31 @@ from datetime import datetime, timedelta, timezone
 from typing import Dict, List, Optional, Any
 from pathlib import Path
-from cryptography import x509
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.x509.oid import NameOID
+# Import mcp_security_framework
+try:
+    from mcp_security_framework.core.cert_manager import CertificateManager
+    from mcp_security_framework.schemas.config import (
+        CertificateConfig,
+        CAConfig,
+        ClientCertConfig,
+        ServerCertConfig
+    )
+    from mcp_security_framework.schemas.models import CertificateType
+    from mcp_security_framework.utils.cert_utils import (
+        parse_certificate,
+        extract_roles_from_certificate,
+        extract_permissions_from_certificate,
+        validate_certificate_chain,
+        get_certificate_expiry
+    )
+    SECURITY_FRAMEWORK_AVAILABLE = True
+except ImportError:
+    SECURITY_FRAMEWORK_AVAILABLE = False
+    # Fallback to cryptography if mcp_security_framework is not available
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import rsa
+    from cryptography.x509.oid import NameOID
 from .auth_validator import AuthValidator
 from .role_utils import RoleUtils
@@ -32,7 +52,7 @@ class CertificateUtils:
     Utilities for working with certificates.
     Provides methods for creating CA, server, and client certificates,
-    as well as validation and role extraction.
+    as well as validation and role extraction using mcp_security_framework.
     """
     # Default certificate validity period (1 year)
@@ -49,7 +69,7 @@ class CertificateUtils:
                             validity_days: int = DEFAULT_VALIDITY_DAYS,
                             key_size: int = DEFAULT_KEY_SIZE) -> Dict[str, str]:
         """
-        Create a CA certificate and private key.
+        Create a CA certificate and private key using mcp_security_framework.
         Args:
             common_name: Common name for the CA certificate
@@ -64,6 +84,64 @@ class CertificateUtils:
             ValueError: If parameters are invalid
             OSError: If files cannot be created
         """
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, using fallback method")
+            return CertificateUtils._create_ca_certificate_fallback(
+                common_name, output_dir, validity_days, key_size
+            )
+        try:
+            # Validate parameters
+            if not common_name or not common_name.strip():
+                raise ValueError("Common name cannot be empty")
+            if validity_days <= 0:
+                raise ValueError("Validity days must be positive")
+            if key_size < 1024:
+                raise ValueError("Key size must be at least 1024 bits")
+            # Create output directory if it doesn't exist
+            Path(output_dir).mkdir(parents=True, exist_ok=True)
+            # Configure CA using mcp_security_framework
+            ca_config = CAConfig(
+                common_name=common_name,
+                organization="MCP Proxy Adapter CA",
+                organizational_unit="Certificate Authority",
+                country="US",
+                state="Default State",
+                locality="Default City",
+                validity_days=validity_days,
+                key_size=key_size,
+                key_type="RSA"
+            )
+            # Create certificate manager
+            cert_config = CertificateConfig(
+                output_dir=output_dir,
+                ca_cert_path=str(Path(output_dir) / f"{common_name}.crt"),
+                ca_key_path=str(Path(output_dir) / f"{common_name}.key")
+            )
+            cert_manager = CertificateManager(cert_config)
+            # Generate CA certificate
+            ca_pair = cert_manager.create_ca_certificate(ca_config)
+            return {
+                "cert_path": str(ca_pair.cert_path),
+                "key_path": str(ca_pair.key_path)
+            }
+        except Exception as e:
+            logger.error(f"Failed to create CA certificate: {e}")
+            raise
+    @staticmethod
+    def _create_ca_certificate_fallback(common_name: str, output_dir: str,
+                                      validity_days: int, key_size: int) -> Dict[str, str]:
+        """Fallback method using cryptography directly."""
         try:
             # Validate parameters
             if not common_name or not common_name.strip():
@@ -117,21 +195,14 @@ class CertificateUtils:
                     data_encipherment=False,
                     key_agreement=False,
                     encipher_only=False,
-                    decipher_only=False,
-                    content_commitment=False
+                    decipher_only=False
                 ),
                 critical=True
-            ).add_extension(
-                x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()),
-                critical=False
-            ).add_extension(
-                x509.AuthorityKeyIdentifier.from_issuer_public_key(private_key.public_key()),
-                critical=False
             ).sign(private_key, hashes.SHA256())
             # Save certificate and key
-            cert_path = os.path.join(output_dir, "ca.crt")
-            key_path = os.path.join(output_dir, "ca.key")
+            cert_path = Path(output_dir) / f"{common_name}.crt"
+            key_path = Path(output_dir) / f"{common_name}.key"
             with open(cert_path, "wb") as f:
                 f.write(cert.public_bytes(serialization.Encoding.PEM))
@@ -143,17 +214,13 @@ class CertificateUtils:
                     encryption_algorithm=serialization.NoEncryption()
                 ))
-            logger.info(f"CA certificate created: {cert_path}")
             return {
-                "cert_path": cert_path,
-                "key_path": key_path,
-                "common_name": common_name,
-                "validity_days": validity_days
+                "cert_path": str(cert_path),
+                "key_path": str(key_path)
             }
         except Exception as e:
-            logger.error(f"Failed to create CA certificate: {e}")
+            logger.error(f"Failed to create CA certificate (fallback): {e}")
             raise
     @staticmethod
@@ -304,20 +371,19 @@ class CertificateUtils:
             raise
     @staticmethod
-    def create_client_certificate(common_name: str, roles: List[str],
-                                ca_cert_path: str, ca_key_path: str,
-                                output_dir: str,
+    def create_client_certificate(common_name: str, ca_cert_path: str, ca_key_path: str,
+                                output_dir: str, roles: List[str] = None,
                                 validity_days: int = DEFAULT_VALIDITY_DAYS,
                                 key_size: int = DEFAULT_KEY_SIZE) -> Dict[str, str]:
         """
-        Create a client certificate signed by CA.
+        Create a client certificate and private key using mcp_security_framework.
         Args:
             common_name: Common name for the client certificate
-            roles: List of roles to include in certificate
             ca_cert_path: Path to CA certificate
             ca_key_path: Path to CA private key
             output_dir: Directory to save certificate and key files
+            roles: List of roles to include in certificate
             validity_days: Certificate validity period in days
             key_size: RSA key size in bits
@@ -326,22 +392,92 @@ class CertificateUtils:
         Raises:
             ValueError: If parameters are invalid
-            FileNotFoundError: If CA files not found
             OSError: If files cannot be created
         """
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, using fallback method")
+            return CertificateUtils._create_client_certificate_fallback(
+                common_name, ca_cert_path, ca_key_path, output_dir, roles, validity_days, key_size
+            )
         try:
             # Validate parameters
             if not common_name or not common_name.strip():
                 raise ValueError("Common name cannot be empty")
-            if not roles:
-                roles = ["client"]
+            if not Path(ca_cert_path).exists():
+                raise ValueError(f"CA certificate not found: {ca_cert_path}")
+            if not Path(ca_key_path).exists():
+                raise ValueError(f"CA private key not found: {ca_key_path}")
+            if validity_days <= 0:
+                raise ValueError("Validity days must be positive")
+            if key_size < 1024:
+                raise ValueError("Key size must be at least 1024 bits")
+            # Create output directory if it doesn't exist
+            Path(output_dir).mkdir(parents=True, exist_ok=True)
+            # Configure client certificate using mcp_security_framework
+            client_config = ClientCertConfig(
+                common_name=common_name,
+                organization="MCP Proxy Adapter Client",
+                organizational_unit="Client Certificates",
+                country="US",
+                state="Default State",
+                locality="Default City",
+                validity_days=validity_days,
+                key_size=key_size,
+                key_type="RSA",
+                roles=roles or [],
+                permissions=[]  # Permissions can be added later if needed
+            )
+            # Create certificate manager
+            cert_config = CertificateConfig(
+                output_dir=output_dir,
+                ca_cert_path=ca_cert_path,
+                ca_key_path=ca_key_path
+            )
+            cert_manager = CertificateManager(cert_config)
+            # Generate client certificate
+            client_pair = cert_manager.create_client_certificate(client_config)
+            return {
+                "cert_path": str(client_pair.cert_path),
+                "key_path": str(client_pair.key_path)
+            }
+        except Exception as e:
+            logger.error(f"Failed to create client certificate: {e}")
+            raise
+    @staticmethod
+    def _create_client_certificate_fallback(common_name: str, ca_cert_path: str, ca_key_path: str,
+                                          output_dir: str, roles: List[str] = None,
+                                          validity_days: int = DEFAULT_VALIDITY_DAYS,
+                                          key_size: int = DEFAULT_KEY_SIZE) -> Dict[str, str]:
+        """Fallback method using cryptography directly."""
+        try:
+            # Validate parameters
+            if not common_name or not common_name.strip():
+                raise ValueError("Common name cannot be empty")
             if not Path(ca_cert_path).exists():
-                raise FileNotFoundError(f"CA certificate not found: {ca_cert_path}")
+                raise ValueError(f"CA certificate not found: {ca_cert_path}")
             if not Path(ca_key_path).exists():
-                raise FileNotFoundError(f"CA key not found: {ca_key_path}")
+                raise ValueError(f"CA private key not found: {ca_key_path}")
+            if validity_days <= 0:
+                raise ValueError("Validity days must be positive")
+            if key_size < 1024:
+                raise ValueError("Key size must be at least 1024 bits")
             # Create output directory if it doesn't exist
             Path(output_dir).mkdir(parents=True, exist_ok=True)
@@ -362,8 +498,8 @@ class CertificateUtils:
             # Create certificate subject
             subject = x509.Name([
                 x509.NameAttribute(NameOID.COMMON_NAME, common_name),
-                x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MCP Proxy Adapter"),
-                x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Client"),
+                x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MCP Proxy Adapter Client"),
+                x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Client Certificates"),
                 x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
             ])
@@ -392,37 +528,28 @@ class CertificateUtils:
                     data_encipherment=False,
                     key_agreement=False,
                     encipher_only=False,
-                    decipher_only=False,
-                    content_commitment=False
+                    decipher_only=False
                 ),
                 critical=True
             ).add_extension(
-                x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()),
-                critical=False
-            ).add_extension(
-                x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_key.public_key()),
-                critical=False
-            ).add_extension(
-                x509.ExtendedKeyUsage([
-                    x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH
-                ]),
+                x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]),
                 critical=False
             )
-            # Add roles extension
+            # Add roles extension if provided
             if roles:
-                roles_data = ",".join(roles).encode('utf-8')
+                roles_str = ",".join(roles)
                 roles_oid = x509.ObjectIdentifier(CertificateUtils.ROLE_EXTENSION_OID)
                 cert_builder = cert_builder.add_extension(
-                    x509.UnrecognizedExtension(roles_oid, roles_data),
+                    x509.UnrecognizedExtension(roles_oid, roles_str.encode()),
                     critical=False
                 )
             cert = cert_builder.sign(ca_key, hashes.SHA256())
             # Save certificate and key
-            cert_path = os.path.join(output_dir, f"{common_name}.crt")
-            key_path = os.path.join(output_dir, f"{common_name}.key")
+            cert_path = Path(output_dir) / f"{common_name}.crt"
+            key_path = Path(output_dir) / f"{common_name}.key"
             with open(cert_path, "wb") as f:
                 f.write(cert.public_bytes(serialization.Encoding.PEM))
@@ -434,66 +561,157 @@ class CertificateUtils:
                     encryption_algorithm=serialization.NoEncryption()
                 ))
-            logger.info(f"Client certificate created: {cert_path}")
             return {
-                "cert_path": cert_path,
-                "key_path": key_path,
-                "common_name": common_name,
-                "roles": roles,
-                "validity_days": validity_days
+                "cert_path": str(cert_path),
+                "key_path": str(key_path)
             }
         except Exception as e:
-            logger.error(f"Failed to create client certificate: {e}")
+            logger.error(f"Failed to create client certificate (fallback): {e}")
             raise
     @staticmethod
     def extract_roles_from_certificate(cert_path: str) -> List[str]:
         """
-        Extract roles from certificate file using RoleUtils.
+        Extract roles from certificate using mcp_security_framework.
         Args:
             cert_path: Path to certificate file
         Returns:
-            List of roles extracted from certificate
+            List of roles found in certificate
         """
-        return RoleUtils.extract_roles_from_certificate(cert_path)
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, using fallback method")
+            return RoleUtils.extract_roles_from_certificate(cert_path)
+        try:
+            return extract_roles_from_certificate(cert_path)
+        except Exception as e:
+            logger.error(f"Failed to extract roles from certificate: {e}")
+            return []
     @staticmethod
-    def extract_roles_from_certificate_object(cert: x509.Certificate) -> List[str]:
+    def extract_roles_from_certificate_object(cert) -> List[str]:
         """
-        Extract roles from certificate object using RoleUtils.
+        Extract roles from certificate object using mcp_security_framework.
         Args:
             cert: Certificate object
         Returns:
-            List of roles extracted from certificate
+            List of roles found in certificate
+        """
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, using fallback method")
+            return RoleUtils.extract_roles_from_certificate_object(cert)
+        try:
+            # Convert certificate object to PEM format for mcp_security_framework
+            cert_pem = cert.public_bytes(serialization.Encoding.PEM)
+            return extract_roles_from_certificate(cert_pem)
+        except Exception as e:
+            logger.error(f"Failed to extract roles from certificate object: {e}")
+            return []
+    @staticmethod
+    def extract_permissions_from_certificate(cert_path: str) -> List[str]:
+        """
+        Extract permissions from certificate using mcp_security_framework.
+        Args:
+            cert_path: Path to certificate file
+        Returns:
+            List of permissions found in certificate
         """
-        return RoleUtils.extract_roles_from_certificate_object(cert)
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, permissions extraction not supported")
+            return []
+        try:
+            return extract_permissions_from_certificate(cert_path)
+        except Exception as e:
+            logger.error(f"Failed to extract permissions from certificate: {e}")
+            return []
     @staticmethod
     def validate_certificate_chain(cert_path: str, ca_cert_path: str) -> bool:
         """
-        Validate certificate chain using AuthValidator.
+        Validate certificate chain using mcp_security_framework.
         Args:
             cert_path: Path to certificate to validate
             ca_cert_path: Path to CA certificate
         Returns:
-            True if certificate chain is valid, False otherwise
+            True if chain is valid, False otherwise
         """
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, using fallback validation")
+            return CertificateUtils._validate_certificate_chain_fallback(cert_path, ca_cert_path)
         try:
-            validator = AuthValidator()
-            result = validator.validate_certificate_chain(cert_path, ca_cert_path)
-            return result.is_valid
+            return validate_certificate_chain(cert_path, ca_cert_path)
         except Exception as e:
             logger.error(f"Failed to validate certificate chain: {e}")
             return False
+    @staticmethod
+    def _validate_certificate_chain_fallback(cert_path: str, ca_cert_path: str) -> bool:
+        """Fallback certificate chain validation using cryptography."""
+        try:
+            # Load certificates
+            with open(cert_path, "rb") as f:
+                cert = x509.load_pem_x509_certificate(f.read())
+            with open(ca_cert_path, "rb") as f:
+                ca_cert = x509.load_pem_x509_certificate(f.read())
+            # Simple validation: check if certificate is issued by CA
+            return cert.issuer == ca_cert.subject
+        except Exception as e:
+            logger.error(f"Failed to validate certificate chain (fallback): {e}")
+            return False
+    @staticmethod
+    def get_certificate_expiry(cert_path: str) -> Optional[datetime]:
+        """
+        Get certificate expiry date using mcp_security_framework.
+        Args:
+            cert_path: Path to certificate file
+        Returns:
+            Certificate expiry date or None if not available
+        """
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            logger.warning("mcp_security_framework not available, using fallback method")
+            return CertificateUtils._get_certificate_expiry_fallback(cert_path)
+        try:
+            expiry_info = get_certificate_expiry(cert_path)
+            if isinstance(expiry_info, dict) and 'expiry_date' in expiry_info:
+                return expiry_info['expiry_date']
+            return None
+        except Exception as e:
+            logger.error(f"Failed to get certificate expiry: {e}")
+            return None
+    @staticmethod
+    def _get_certificate_expiry_fallback(cert_path: str) -> Optional[datetime]:
+        """Fallback method to get certificate expiry using cryptography."""
+        try:
+            with open(cert_path, "rb") as f:
+                cert = x509.load_pem_x509_certificate(f.read())
+            return cert.not_valid_after
+        except Exception as e:
+            logger.error(f"Failed to get certificate expiry (fallback): {e}")
+            return None
     @staticmethod
     def validate_certificate(cert_path: str) -> bool:
         """

mcp-proxy-adapter 6.1.0__py3-none-any.whl → 6.2.0__py3-none-any.whl

mcp-proxy-adapter 6.1.0py3-none-any.whl → 6.2.0py3-none-any.whl