mcp-proxy-adapter 6.2.21__py3-none-any.whl → 6.2.23__py3-none-any.whl

mcp_proxy_adapter/examples/security_test_client.py

@@ -21,6 +21,7 @@ from typing import Dict, List, Optional, Any
 from dataclasses import dataclass
 import aiohttp
 from aiohttp import ClientSession, ClientTimeout, TCPConnector
+
 # Add project root to path for imports
 project_root = Path(__file__).parent.parent.parent
 current_dir = Path(__file__).parent
@@ -28,6 +29,26 @@ parent_dir = current_dir.parent
 sys.path.insert(0, str(project_root))
 sys.path.insert(0, str(current_dir))
 sys.path.insert(0, str(parent_dir))
+
+# Import mcp_security_framework components
+try:
+    from mcp_security_framework import SSLManager, CertificateManager
+    from mcp_security_framework.schemas.config import SSLConfig
+    _MCP_SECURITY_AVAILABLE = True
+    print("✅ mcp_security_framework available")
+except ImportError:
+    _MCP_SECURITY_AVAILABLE = False
+    print("⚠️ mcp_security_framework not available, falling back to standard SSL")
+
+# Import cryptography components
+try:
+    from cryptography import x509
+    from cryptography.hazmat.primitives import serialization
+    _CRYPTOGRAPHY_AVAILABLE = True
+    print("✅ cryptography available")
+except ImportError:
+    _CRYPTOGRAPHY_AVAILABLE = False
+    print("⚠️ cryptography not available, SSL validation will be limited")
 @dataclass
 class TestResult:
     """Test result data class."""
@@ -45,11 +66,33 @@ class SecurityTestClient:
         """Initialize security test client."""
         self.base_url = base_url
         self.session: Optional[ClientSession] = None
-        # Note: For basic testing, we'll use simple SSL context creation
-        # instead of full mcp_security_framework integration
-        self.security_manager = None
+
+        # Initialize security managers if available
         self.ssl_manager = None
-        self.auth_manager = None
+        self.cert_manager = None
+        self._security_available = _MCP_SECURITY_AVAILABLE
+        self._crypto_available = _CRYPTOGRAPHY_AVAILABLE
+
+        if self._security_available:
+            try:
+                # Initialize SSL manager with default config
+                ssl_config = SSLConfig(
+                    enabled=True,
+                    cert_file=None,
+                    key_file=None,
+                    ca_cert_file=None,
+                    verify_mode="CERT_NONE",  # For testing
+                    min_tls_version="TLSv1.2"
+                )
+                self.ssl_manager = SSLManager(ssl_config)
+                print("✅ SSL Manager initialized with mcp_security_framework")
+            except Exception as e:
+                print(f"⚠️ Failed to initialize SSL Manager: {e}")
+                self._security_available = False
+
+        if not self._security_available:
+            print("ℹ️ Using standard SSL library for testing")
+            self.ssl_manager = None
         self.test_results: List[TestResult] = []
         # Test tokens
         self.test_tokens = {
@@ -85,14 +128,33 @@ class SecurityTestClient:
         return self
     def create_ssl_context_for_mtls(self) -> ssl.SSLContext:
         """Create SSL context for mTLS connections."""
-        ssl_context = ssl.create_default_context()
-        # For mTLS testing
+        if self.ssl_manager and self._security_available:
+            try:
+                # Use mcp_security_framework for mTLS
+                cert_file = "./certs/user_cert.pem"
+                key_file = "./certs/user_key.pem"
+                ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
+
+                return self.ssl_manager.create_client_context(
+                    ca_cert_file=ca_cert_file if os.path.exists(ca_cert_file) else None,
+                    client_cert_file=cert_file if os.path.exists(cert_file) else None,
+                    client_key_file=key_file if os.path.exists(key_file) else None,
+                    verify_mode="CERT_NONE",  # For testing
+                    min_version="TLSv1.2"
+                )
+            except Exception as e:
+                print(f"⚠️ Failed to create mTLS context with mcp_security_framework: {e}")
+                print("ℹ️ Falling back to standard SSL")
+
+        # Fallback to standard SSL
+        ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        # For mTLS testing - client needs to present certificate to server
         ssl_context.check_hostname = False
-        ssl_context.verify_mode = ssl.CERT_NONE
-        # Load client certificate and key
+        ssl_context.verify_mode = ssl.CERT_NONE  # Don't verify server cert for testing
+        # Load client certificate and key for mTLS
         cert_file = "./certs/user_cert.pem"
         key_file = "./certs/user_key.pem"
-        ca_cert_file = "./certs/ca_cert.pem"
+        ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
         if os.path.exists(cert_file) and os.path.exists(key_file):
             ssl_context.load_cert_chain(certfile=cert_file, keyfile=key_file)
         if os.path.exists(ca_cert_file):
@@ -106,6 +168,21 @@ class SecurityTestClient:
                           key_file: Optional[str] = None,
                           ca_cert_file: Optional[str] = None) -> ssl.SSLContext:
         """Create SSL context for client."""
+        if self.ssl_manager and self._security_available:
+            try:
+                # Use mcp_security_framework for SSL context creation
+                return self.ssl_manager.create_client_context(
+                    ca_cert_file=ca_cert_file if ca_cert_file and os.path.exists(ca_cert_file) else None,
+                    client_cert_file=cert_file if cert_file and os.path.exists(cert_file) else None,
+                    client_key_file=key_file if key_file and os.path.exists(key_file) else None,
+                    verify_mode="CERT_NONE",  # For testing
+                    min_version="TLSv1.2"
+                )
+            except Exception as e:
+                print(f"⚠️ Failed to create SSL context with mcp_security_framework: {e}")
+                print("ℹ️ Falling back to standard SSL")
+
+        # Fallback to standard SSL
         ssl_context = ssl.create_default_context()
         # For testing with self-signed certificates
         ssl_context.check_hostname = False
@@ -121,8 +198,10 @@ class SecurityTestClient:
         """Create authentication headers."""
         headers = {"Content-Type": "application/json"}
         if auth_type == "api_key":
-            token = kwargs.get("token", "test-token-123")  # Use correct token
-            headers["X-API-Key"] = token  # Use X-API-Key header
+            token = kwargs.get("token", "test-token-123")
+            # Provide both common header styles to maximize compatibility
+            headers["X-API-Key"] = token
+            headers["Authorization"] = f"Bearer {token}"
         elif auth_type == "basic":
             username = kwargs.get("username", "admin")
             password = kwargs.get("password", "password")
@@ -306,39 +385,104 @@ class SecurityTestClient:
         start_time = time.time()
         test_name = f"Negative Auth ({auth_type})"
         try:
-            # Use invalid token
-            headers = self.create_auth_headers("api_key", token="invalid-token-999")
-            data = {
-                "jsonrpc": "2.0",
-                "method": "echo",
-                "params": {"message": "Should fail"},
-                "id": 3
-            }
-            async with self.session.post(f"{server_url}/cmd",
-                                        headers=headers,
-                                        json=data) as response:
-                duration = time.time() - start_time
-                # Expected to fail with 401
-                if response.status == 401:
-                    return TestResult(
-                        test_name=test_name,
-                        server_url=server_url,
-                        auth_type=auth_type,
-                        success=True,  # This is expected to fail
-                        status_code=response.status,
-                        response_data={"expected": "authentication_failure"},
-                        duration=duration
-                    )
-                else:
+            if auth_type == "certificate":
+                # For mTLS, test with invalid/expired certificate or no certificate
+                import aiohttp
+                from aiohttp import ClientTimeout, TCPConnector
+                import ssl
+
+                # Create SSL context with wrong certificate (should be rejected)
+                ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+                ssl_context.check_hostname = False
+                # Don't load any client certificate - this should cause rejection
+                # Load CA certificate for server verification
+                ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
+                if os.path.exists(ca_cert_file):
+                    ssl_context.load_verify_locations(cafile=ca_cert_file)
+                ssl_context.verify_mode = ssl.CERT_NONE  # Don't verify server cert for testing
+
+                connector = TCPConnector(ssl=ssl_context)
+                timeout = ClientTimeout(total=10)  # Shorter timeout
+
+                try:
+                    async with aiohttp.ClientSession(timeout=timeout, connector=connector) as temp_session:
+                        data = {
+                            "jsonrpc": "2.0",
+                            "method": "echo",
+                            "params": {"message": "Should fail without certificate"},
+                            "id": 3
+                        }
+                        async with temp_session.post(f"{server_url}/cmd", json=data) as response:
+                            duration = time.time() - start_time
+                            # If we get here, the server accepted the connection without proper certificate
+                            # This is actually a security issue - server should reject
+                            return TestResult(
+                                test_name=test_name,
+                                server_url=server_url,
+                                auth_type=auth_type,
+                                success=False,
+                                status_code=response.status,
+                                error_message=f"SECURITY ISSUE: mTLS server accepted connection without client certificate (status: {response.status})",
+                                duration=duration
+                            )
+                except (aiohttp.ClientError, aiohttp.ServerDisconnectedError, asyncio.TimeoutError) as e:
+                    # This is expected - server should reject connections without proper certificate
+                    duration = time.time() - start_time
                     return TestResult(
                         test_name=test_name,
                         server_url=server_url,
                         auth_type=auth_type,
-                        success=False,
-                        status_code=response.status,
-                        error_message=f"Expected 401, got {response.status}",
+                        success=True,
+                        status_code=0,
+                        response_data={"expected": "connection_rejected", "error": str(e)},
                         duration=duration
                     )
+            else:
+                # For other auth types, use invalid token
+                headers = self.create_auth_headers("api_key", token="invalid-token-999")
+                data = {
+                    "jsonrpc": "2.0",
+                    "method": "echo",
+                    "params": {"message": "Should fail"},
+                    "id": 3
+                }
+                async with self.session.post(f"{server_url}/cmd",
+                                            headers=headers,
+                                            json=data) as response:
+                    duration = time.time() - start_time
+                    # Expect 401 only when auth is enforced
+                    expects_auth = auth_type in ("api_key", "certificate", "basic")
+                    if expects_auth and response.status == 401:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=server_url,
+                            auth_type=auth_type,
+                            success=True,
+                            status_code=response.status,
+                            response_data={"expected": "authentication_failure"},
+                            duration=duration
+                        )
+                    elif not expects_auth and response.status == 200:
+                        # Security disabled: negative auth should not fail
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=server_url,
+                            auth_type=auth_type,
+                            success=True,
+                            status_code=response.status,
+                            response_data={"expected": "no_auth_required"},
+                            duration=duration
+                        )
+                    else:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=server_url,
+                            auth_type=auth_type,
+                            success=False,
+                            status_code=response.status,
+                            error_message=f"Unexpected status for negative auth: {response.status}",
+                            duration=duration
+                        )
         except Exception as e:
             duration = time.time() - start_time
             return TestResult(

mcp_proxy_adapter/examples/setup_test_environment.py

@@ -99,6 +99,18 @@ def setup_test_environment(output_dir: Path) -> None:
     if cert_tokens_src.exists():
         shutil.copy2(cert_tokens_src, output_dir / "scripts/")
         print("✅ Copied generate_certificates_and_tokens.py")
+
+    # Copy roles.json to the root directory for compatibility
+    roles_src = examples_src_root / "roles.json"
+    if roles_src.exists():
+        shutil.copy2(roles_src, output_dir)
+        print("✅ Copied roles.json to root directory")
+
+    # Also copy from configs directory if it exists
+    roles_configs_src = output_dir / "configs" / "roles.json"
+    if roles_configs_src.exists():
+        shutil.copy2(roles_configs_src, output_dir / "roles.json")
+        print("✅ Updated roles.json from configs directory")
     print(
         "🎉 Test environment setup completed successfully at: {}".format(
             output_dir

mcp_proxy_adapter/main.py

@@ -7,6 +7,7 @@ email: vasilyvz@gmail.com
 """
 
 import sys
+import ssl
 import hypercorn.asyncio
 import hypercorn.config
 import asyncio
@@ -32,7 +33,10 @@ def main():
         config = Config(config_path=args.config)
     else:
         config = Config()
-    
+
+    print(f"DEBUG main.py: config type: {type(config)}")
+    print(f"DEBUG main.py: config.get_all() type: {type(config.get_all())}")
+
     # Create application
     app = create_app(app_config=config)
     
@@ -70,8 +74,14 @@ def main():
             config_hypercorn.ca_certs = ssl_ca_cert
         
         if verify_client:
-            import ssl
+            # For mTLS, require client certificates
+            config_hypercorn.set_cert_reqs(ssl.CERT_REQUIRED)
             config_hypercorn.verify_mode = ssl.CERT_REQUIRED
+            print("🔐 mTLS: Client certificate verification enabled")
+        else:
+            # For regular HTTPS without client verification
+            config_hypercorn.set_cert_reqs(ssl.CERT_NONE)
+            config_hypercorn.verify_mode = ssl.CERT_NONE
         
         print(f"🔐 Starting HTTPS server with hypercorn...")
     else: