mcp-proxy-adapter 6.3.28__py3-none-any.whl → 6.3.30__py3-none-any.whl

mcp_proxy_adapter/core/config_validator.py

@@ -1,280 +1,218 @@
 """
-Configuration validator for strict validation before startup.
+Configuration validation utilities.
 
-This module provides strict validation of configuration to prevent startup
-with invalid or insecure configurations.
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+
+This module provides strict configuration validation with support for two modes:
+- startup (strict): fail-fast with SystemExit on invalid config
+- reload  (soft): log errors and keep previous config
 """
 
+from __future__ import annotations
+
 import os
-import json
-import uuid
-from typing import Dict, Any, List
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Dict, List, Optional, Tuple
 
 from mcp_proxy_adapter.core.logging import logger
 
 
+@dataclass
+class ConfigValidationResult:
+    is_valid: bool
+    errors: List[str]
+    warnings: List[str]
+
+    @staticmethod
+    def ok() -> "ConfigValidationResult":
+        return ConfigValidationResult(True, [], [])
+
+
 class ConfigValidator:
     """
-    Strict configuration validator.
-
-    Validates configuration before startup and prevents startup
-    with invalid or insecure configurations.
+    Unified configuration validator supporting both result-based and boolean APIs.
     """
 
-    def __init__(self, config: Dict[str, Any]):
-        """
-        Initialize configuration validator.
-
-        Args:
-            config: Configuration dictionary to validate
-        """
-        self.config = config
+    def __init__(self, _config: Optional[Dict[str, Any]] = None) -> None:
+        # Optional stored config for validate_all() compatibility
+        self._config: Optional[Dict[str, Any]] = _config
         self.errors: List[str] = []
         self.warnings: List[str] = []
 
-    def validate_all(self) -> bool:
+    def validate(self, config: Optional[Dict[str, Any]] = None) -> ConfigValidationResult:
         """
-        Validate all configuration sections.
+        Validate configuration and return detailed result.
 
-        Returns:
-            True if configuration is valid, False otherwise
+        Args:
+            config: Configuration dict. If None, uses self._config.
         """
-        self.errors.clear()
-        self.warnings.clear()
-
-        # Validate basic structure
-        if not self._validate_basic_structure():
-            return False
-
-        # Validate UUID configuration (mandatory)
-        if not self._validate_uuid_config():
-            return False
-
-        # Validate server configuration
-        if not self._validate_server_config():
-            return False
-
-        # Validate security configuration
-        if not self._validate_security_config():
-            return False
-
-        # Validate commands configuration
-        if not self._validate_commands_config():
-            return False
-
-        # Validate SSL configuration
-        if not self._validate_ssl_config():
-            return False
-
-        # Validate roles configuration
-        if not self._validate_roles_config():
-            return False
-
-        # Log warnings if any
-        if self.warnings:
-            for warning in self.warnings:
-                logger.warning(f"Configuration warning: {warning}")
-
-        # Return success only if no errors
-        return len(self.errors) == 0
-
-    def _validate_basic_structure(self) -> bool:
-        """Validate basic configuration structure."""
-        required_sections = ["server", "logging", "commands"]
+        cfg = config if config is not None else (self._config or {})
+        self.errors = []
+        self.warnings = []
+
+        # Top-level basics
+        self._validate_uuid(cfg)
+        self._validate_server(cfg)
+        self._validate_protocols(cfg)
+
+        # SSL/mTLS
+        self._validate_ssl(cfg)
+
+        # Security framework sections
+        self._validate_security_auth(cfg)
+        self._validate_permissions(cfg)
+        self._validate_rate_limit(cfg)
+
+        return ConfigValidationResult(
+            is_valid=len(self.errors) == 0,
+            errors=list(self.errors),
+            warnings=list(self.warnings),
+        )
+
+    # Boolean API for backward compatibility (used in main.py)
+    def validate_all(self) -> bool:
+        result = self.validate(self._config)
+        return result.is_valid
 
-        for section in required_sections:
-            if section not in self.config:
-                self.errors.append(f"Missing required configuration section: {section}")
+    def get_errors(self) -> List[str]:
+        return list(self.errors)
 
-        return len(self.errors) == 0
+    def get_warnings(self) -> List[str]:
+        return list(self.warnings)
 
-    def _validate_uuid_config(self) -> bool:
-        """Validate UUID configuration (mandatory parameter)."""
-        # Check if UUID is present in root config
-        service_uuid = self.config.get("uuid")
+    # ------------- Section validators -------------
 
-        if not service_uuid:
+    def _validate_uuid(self, config: Dict[str, Any]) -> None:
+        uuid_value = config.get("uuid")
+        if not uuid_value or not isinstance(uuid_value, str) or len(uuid_value) < 8:
             self.errors.append(
                 "UUID is required in configuration. Add 'uuid' field with a valid UUID4 value."
             )
-            return False
-
-        # Validate UUID format
-        try:
-            # Try to parse as UUID
-            parsed_uuid = uuid.UUID(service_uuid)
-
-            # Check if it's UUID4 (version 4)
-            if parsed_uuid.version != 4:
-                self.errors.append(
-                    f"UUID must be version 4 (UUID4). Current version: {parsed_uuid.version}"
-                )
-                return False
-
-        except (ValueError, TypeError) as e:
-            self.errors.append(f"Invalid UUID format: {service_uuid}. Error: {e}")
-            return False
-
-        return len(self.errors) == 0
 
-    def _validate_server_config(self) -> bool:
-        """Validate server configuration."""
-        server_config = self.config.get("server", {})
-
-        # Validate host
-        host = server_config.get("host")
-        if not host:
-            self.errors.append("Server host is required")
-
-        # Validate port
-        port = server_config.get("port")
-        if not isinstance(port, int) or port < 1 or port > 65535:
-            self.errors.append("Server port must be an integer between 1 and 65535")
-
-        return len(self.errors) == 0
-
-    def _validate_security_config(self) -> bool:
-        """Validate security configuration."""
-        security_config = self.config.get("security", {})
-
-        # Check if security is enabled
-        security_enabled = security_config.get("enabled", True)
-        auth_enabled = self.config.get("auth_enabled", False)
+    def _validate_server(self, config: Dict[str, Any]) -> None:
+        server = config.get("server", {})
+        port = server.get("port")
+        if port is None or not isinstance(port, int) or not (1 <= port <= 65535):
+            self.errors.append("Server.port must be an integer between 1 and 65535")
+
+        host = server.get("host")
+        if not host or not isinstance(host, str):
+            self.errors.append("Server.host must be a non-empty string")
+
+    def _validate_protocols(self, config: Dict[str, Any]) -> None:
+        protocols = config.get("protocols", {})
+        if not isinstance(protocols, dict):
+            self.warnings.append("'protocols' must be a dictionary; ignoring")
+            return
+
+        enabled = protocols.get("enabled", True)
+        if not enabled:
+            return  # Disabled => allow all (manager bypassed)
+
+        allowed = protocols.get("allowed_protocols", [])
+        default_protocol = protocols.get("default_protocol")
+        if not isinstance(allowed, list) or not all(isinstance(x, str) for x in allowed):
+            self.errors.append("protocols.allowed_protocols must be a list of strings")
+        if default_protocol and default_protocol not in allowed:
+            self.errors.append(
+                "protocols.default_protocol must be present in allowed_protocols"
+            )
 
-        # Validate permissions configuration
-        permissions_config = security_config.get("permissions", {})
-        permissions_enabled = permissions_config.get("enabled", False)
+    def _validate_ssl(self, config: Dict[str, Any]) -> None:
+        # Prefer security.ssl if enabled; otherwise fallback to root ssl
+        sec = config.get("security", {}) if isinstance(config.get("security"), dict) else {}
+        security_ssl = sec.get("ssl", {}) if isinstance(sec.get("ssl"), dict) else {}
+        root_ssl = config.get("ssl", {}) if isinstance(config.get("ssl"), dict) else {}
 
-        if permissions_enabled:
-            # Permissions require authentication to identify users
-            auth_config = security_config.get("auth", {})
-            if not auth_config.get("enabled", False):
-                self.errors.append(
-                    "Permissions are enabled but authentication is disabled. Permissions require authentication to identify users."
-                )
-                return False
+        effective_ssl = security_ssl if security_ssl.get("enabled", False) else root_ssl
+        if not isinstance(effective_ssl, dict):
+            return
 
-            # Check if there are any authentication methods available
-            auth_methods = auth_config.get("methods", [])
-            if not auth_methods:
+        if effective_ssl.get("enabled", False):
+            cert_file = effective_ssl.get("cert_file")
+            key_file = effective_ssl.get("key_file")
+            if not cert_file or not key_file:
                 self.errors.append(
-                    "Permissions are enabled but no authentication methods are configured. At least one authentication method is required."
+                    "SSL enabled but 'cert_file' or 'key_file' is missing"
                 )
-                return False
-
-        if security_enabled and auth_enabled:
-            # Validate auth configuration
-            auth_config = security_config.get("auth", {})
-            if not auth_config.get("enabled", False):
-                self.errors.append("Security is enabled but auth is disabled")
-                return False
-
-            # Validate API keys if auth is enabled
-            if auth_config.get("enabled", False):
-                api_keys = auth_config.get("api_keys", {})
-                if not api_keys:
+            else:
+                if not Path(cert_file).exists():
+                    self.errors.append(f"SSL certificate file not found: {cert_file}")
+                if not Path(key_file).exists():
+                    self.errors.append(f"SSL private key file not found: {key_file}")
+
+            # mTLS
+            verify_client = effective_ssl.get("verify_client", False)
+            ca_candidates = [
+                effective_ssl.get("ca_cert_file"),  # security.ssl
+                effective_ssl.get("ca_cert"),  # legacy root.ssl
+            ]
+            ca_cert = next((c for c in ca_candidates if isinstance(c, str) and c), None)
+
+            if verify_client:
+                if not ca_cert:
                     self.errors.append(
-                        "API keys are required when authentication is enabled"
+                        "mTLS requires a CA certificate (security.ssl.ca_cert_file or ssl.ca_cert)"
                     )
-                    return False
-
-                # Validate API key format
-                for key, value in api_keys.items():
-                    if not key or not value:
-                        self.errors.append("API keys must have non-empty key and value")
-                        return False
-
-        return len(self.errors) == 0
+                elif not Path(ca_cert).exists():
+                    self.errors.append(f"CA certificate file not found: {ca_cert}")
 
-    def _validate_commands_config(self) -> bool:
-        """Validate commands configuration."""
-        commands_config = self.config.get("commands", {})
-
-        # Validate commands directory if auto_discovery is enabled
-        if commands_config.get("auto_discovery", True):
-            commands_dir = commands_config.get("commands_directory", "./commands")
-            if not os.path.exists(commands_dir):
+            # TLS versions
+            min_tls = str(effective_ssl.get("min_tls_version", "TLSv1.2"))
+            valid_min = {"TLSv1.2", "1.2", "TLSv1.3", "1.3"}
+            if min_tls not in valid_min:
                 self.warnings.append(
-                    f"Commands directory does not exist: {commands_dir}"
+                    f"Unknown min_tls_version '{min_tls}', expected one of {sorted(valid_min)}"
                 )
 
-        return True
-
-    def _validate_ssl_config(self) -> bool:
-        """Validate SSL configuration."""
-        ssl_config = self.config.get("ssl", {})
-        ssl_enabled = ssl_config.get("enabled", False)
-
-        if ssl_enabled:
-            # Validate certificate files
-            cert_file = ssl_config.get("cert_file")
-            key_file = ssl_config.get("key_file")
-
-            if not cert_file or not key_file:
-                self.errors.append(
-                    "SSL certificate and key files are required when SSL is enabled"
-                )
-                return False
+        # Conflict check
+        if security_ssl.get("enabled") and root_ssl.get("enabled"):
+            self.warnings.append(
+                "SSL configured in both security.ssl and root ssl; security.ssl is preferred"
+            )
 
-            if not os.path.exists(cert_file):
-                self.errors.append(f"SSL certificate file not found: {cert_file}")
+    def _validate_security_auth(self, config: Dict[str, Any]) -> None:
+        sec = config.get("security", {}) if isinstance(config.get("security"), dict) else {}
+        auth = sec.get("auth", {}) if isinstance(sec.get("auth"), dict) else {}
 
-            if not os.path.exists(key_file):
-                self.errors.append(f"SSL private key file not found: {key_file}")
+        if not sec.get("enabled", False) or not auth.get("enabled", False):
+            return
 
-        return len(self.errors) == 0
+        methods = auth.get("methods", [])
+        if not isinstance(methods, list):
+            self.errors.append("security.auth.methods must be a list")
+            return
 
-    def _validate_roles_config(self) -> bool:
-        """Validate roles configuration."""
-        roles_config = self.config.get("roles", {})
-        roles_enabled = roles_config.get("enabled", False)
+        if "jwt" in methods and not auth.get("jwt_secret"):
+            self.warnings.append("JWT method enabled but jwt_secret is empty")
 
-        if roles_enabled:
-            config_file = roles_config.get("config_file")
-            if not config_file:
+        if "certificate" in methods:
+            # Ensure SSL is enabled for certificate auth
+            ssl_enabled = (
+                (sec.get("ssl", {}) or {}).get("enabled", False)
+                or (config.get("ssl", {}) or {}).get("enabled", False)
+            )
+            if not ssl_enabled:
                 self.errors.append(
-                    "Roles config file is required when roles are enabled"
+                    "Certificate auth enabled but SSL is disabled (enable security.ssl or root ssl)"
                 )
-                return False
-
-            if not os.path.exists(config_file):
-                self.errors.append(f"Roles config file not found: {config_file}")
-                return False
-
-            # Validate roles schema file
-            try:
-                with open(config_file, "r") as f:
-                    roles_schema = json.load(f)
-
-                if "roles" not in roles_schema:
-                    self.errors.append("Roles config file must contain 'roles' section")
-                    return False
 
-            except (json.JSONDecodeError, IOError) as e:
-                self.errors.append(f"Failed to read roles config file: {e}")
-                return False
-
-        return len(self.errors) == 0
-
-    def get_errors(self) -> List[str]:
-        """Get validation errors."""
-        return self.errors.copy()
-
-    def get_warnings(self) -> List[str]:
-        """Get validation warnings."""
-        return self.warnings.copy()
-
-    def print_validation_report(self):
-        """Print validation report."""
-        if self.errors:
-            logger.error("Configuration validation failed:")
-            for error in self.errors:
-                logger.error(f"  - {error}")
-
-        if self.warnings:
-            logger.warning("Configuration warnings:")
-            for warning in self.warnings:
-                logger.warning(f"  - {warning}")
-
-        if not self.errors and not self.warnings:
-            logger.info("Configuration validation passed")
+    def _validate_permissions(self, config: Dict[str, Any]) -> None:
+        sec = config.get("security", {}) if isinstance(config.get("security"), dict) else {}
+        perm = sec.get("permissions", {}) if isinstance(sec.get("permissions"), dict) else {}
+        roles = perm.get("roles_file")
+        if perm.get("enabled", False) and roles:
+            if not Path(roles).exists():
+                self.errors.append(f"Permissions enabled but roles file not found: {roles}")
+
+    def _validate_rate_limit(self, config: Dict[str, Any]) -> None:
+        sec = config.get("security", {}) if isinstance(config.get("security"), dict) else {}
+        rl = sec.get("rate_limit", {}) if isinstance(sec.get("rate_limit"), dict) else {}
+        if rl.get("enabled", False):
+            rpm = rl.get("default_requests_per_minute") or rl.get("requests_per_minute")
+            if rpm is None or not isinstance(rpm, int) or rpm <= 0:
+                self.errors.append(
+                    "Rate limit enabled but requests_per_minute is not a positive integer"
+                )