mcp-proxy-adapter 6.3.4__py3-none-any.whl → 6.3.6__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- mcp_proxy_adapter/__init__.py +9 -5
- mcp_proxy_adapter/__main__.py +1 -1
- mcp_proxy_adapter/api/app.py +227 -176
- mcp_proxy_adapter/api/handlers.py +68 -60
- mcp_proxy_adapter/api/middleware/__init__.py +7 -5
- mcp_proxy_adapter/api/middleware/base.py +19 -16
- mcp_proxy_adapter/api/middleware/command_permission_middleware.py +44 -34
- mcp_proxy_adapter/api/middleware/error_handling.py +57 -67
- mcp_proxy_adapter/api/middleware/factory.py +50 -52
- mcp_proxy_adapter/api/middleware/logging.py +46 -30
- mcp_proxy_adapter/api/middleware/performance.py +19 -16
- mcp_proxy_adapter/api/middleware/protocol_middleware.py +80 -50
- mcp_proxy_adapter/api/middleware/transport_middleware.py +26 -24
- mcp_proxy_adapter/api/middleware/unified_security.py +70 -51
- mcp_proxy_adapter/api/middleware/user_info_middleware.py +43 -34
- mcp_proxy_adapter/api/schemas.py +69 -43
- mcp_proxy_adapter/api/tool_integration.py +83 -63
- mcp_proxy_adapter/api/tools.py +60 -50
- mcp_proxy_adapter/commands/__init__.py +15 -6
- mcp_proxy_adapter/commands/auth_validation_command.py +107 -110
- mcp_proxy_adapter/commands/base.py +108 -112
- mcp_proxy_adapter/commands/builtin_commands.py +28 -18
- mcp_proxy_adapter/commands/catalog_manager.py +394 -265
- mcp_proxy_adapter/commands/cert_monitor_command.py +222 -204
- mcp_proxy_adapter/commands/certificate_management_command.py +210 -213
- mcp_proxy_adapter/commands/command_registry.py +275 -226
- mcp_proxy_adapter/commands/config_command.py +48 -33
- mcp_proxy_adapter/commands/dependency_container.py +22 -23
- mcp_proxy_adapter/commands/dependency_manager.py +65 -56
- mcp_proxy_adapter/commands/echo_command.py +15 -15
- mcp_proxy_adapter/commands/health_command.py +31 -29
- mcp_proxy_adapter/commands/help_command.py +97 -61
- mcp_proxy_adapter/commands/hooks.py +65 -49
- mcp_proxy_adapter/commands/key_management_command.py +148 -147
- mcp_proxy_adapter/commands/load_command.py +58 -40
- mcp_proxy_adapter/commands/plugins_command.py +80 -54
- mcp_proxy_adapter/commands/protocol_management_command.py +60 -48
- mcp_proxy_adapter/commands/proxy_registration_command.py +107 -115
- mcp_proxy_adapter/commands/reload_command.py +43 -37
- mcp_proxy_adapter/commands/result.py +26 -33
- mcp_proxy_adapter/commands/role_test_command.py +26 -26
- mcp_proxy_adapter/commands/roles_management_command.py +176 -173
- mcp_proxy_adapter/commands/security_command.py +134 -122
- mcp_proxy_adapter/commands/settings_command.py +47 -56
- mcp_proxy_adapter/commands/ssl_setup_command.py +109 -129
- mcp_proxy_adapter/commands/token_management_command.py +129 -158
- mcp_proxy_adapter/commands/transport_management_command.py +41 -36
- mcp_proxy_adapter/commands/unload_command.py +42 -37
- mcp_proxy_adapter/config.py +36 -35
- mcp_proxy_adapter/core/__init__.py +19 -21
- mcp_proxy_adapter/core/app_factory.py +30 -9
- mcp_proxy_adapter/core/app_runner.py +81 -64
- mcp_proxy_adapter/core/auth_validator.py +176 -182
- mcp_proxy_adapter/core/certificate_utils.py +469 -426
- mcp_proxy_adapter/core/client.py +155 -126
- mcp_proxy_adapter/core/client_manager.py +60 -54
- mcp_proxy_adapter/core/client_security.py +120 -91
- mcp_proxy_adapter/core/config_converter.py +176 -143
- mcp_proxy_adapter/core/config_validator.py +12 -4
- mcp_proxy_adapter/core/crl_utils.py +21 -7
- mcp_proxy_adapter/core/errors.py +64 -20
- mcp_proxy_adapter/core/logging.py +34 -29
- mcp_proxy_adapter/core/mtls_asgi.py +29 -25
- mcp_proxy_adapter/core/mtls_asgi_app.py +66 -54
- mcp_proxy_adapter/core/protocol_manager.py +154 -104
- mcp_proxy_adapter/core/proxy_client.py +202 -144
- mcp_proxy_adapter/core/proxy_registration.py +7 -3
- mcp_proxy_adapter/core/role_utils.py +139 -125
- mcp_proxy_adapter/core/security_adapter.py +88 -77
- mcp_proxy_adapter/core/security_factory.py +50 -44
- mcp_proxy_adapter/core/security_integration.py +72 -24
- mcp_proxy_adapter/core/server_adapter.py +68 -64
- mcp_proxy_adapter/core/server_engine.py +71 -53
- mcp_proxy_adapter/core/settings.py +68 -58
- mcp_proxy_adapter/core/ssl_utils.py +69 -56
- mcp_proxy_adapter/core/transport_manager.py +72 -60
- mcp_proxy_adapter/core/unified_config_adapter.py +201 -150
- mcp_proxy_adapter/core/utils.py +4 -2
- mcp_proxy_adapter/custom_openapi.py +107 -99
- mcp_proxy_adapter/examples/basic_framework/main.py +9 -2
- mcp_proxy_adapter/examples/commands/__init__.py +1 -1
- mcp_proxy_adapter/examples/create_certificates_simple.py +182 -71
- mcp_proxy_adapter/examples/debug_request_state.py +38 -19
- mcp_proxy_adapter/examples/debug_role_chain.py +53 -20
- mcp_proxy_adapter/examples/demo_client.py +48 -36
- mcp_proxy_adapter/examples/examples/basic_framework/main.py +9 -2
- mcp_proxy_adapter/examples/examples/full_application/__init__.py +1 -0
- mcp_proxy_adapter/examples/examples/full_application/commands/custom_echo_command.py +22 -10
- mcp_proxy_adapter/examples/examples/full_application/commands/dynamic_calculator_command.py +24 -17
- mcp_proxy_adapter/examples/examples/full_application/hooks/application_hooks.py +16 -3
- mcp_proxy_adapter/examples/examples/full_application/hooks/builtin_command_hooks.py +13 -3
- mcp_proxy_adapter/examples/examples/full_application/main.py +27 -2
- mcp_proxy_adapter/examples/examples/full_application/proxy_endpoints.py +48 -14
- mcp_proxy_adapter/examples/full_application/__init__.py +1 -0
- mcp_proxy_adapter/examples/full_application/commands/custom_echo_command.py +22 -10
- mcp_proxy_adapter/examples/full_application/commands/dynamic_calculator_command.py +24 -17
- mcp_proxy_adapter/examples/full_application/hooks/application_hooks.py +16 -3
- mcp_proxy_adapter/examples/full_application/hooks/builtin_command_hooks.py +13 -3
- mcp_proxy_adapter/examples/full_application/main.py +27 -2
- mcp_proxy_adapter/examples/full_application/proxy_endpoints.py +48 -14
- mcp_proxy_adapter/examples/generate_all_certificates.py +198 -73
- mcp_proxy_adapter/examples/generate_certificates.py +31 -16
- mcp_proxy_adapter/examples/generate_certificates_and_tokens.py +220 -74
- mcp_proxy_adapter/examples/generate_test_configs.py +68 -91
- mcp_proxy_adapter/examples/proxy_registration_example.py +76 -75
- mcp_proxy_adapter/examples/run_example.py +23 -5
- mcp_proxy_adapter/examples/run_full_test_suite.py +109 -71
- mcp_proxy_adapter/examples/run_proxy_server.py +22 -9
- mcp_proxy_adapter/examples/run_security_tests.py +103 -41
- mcp_proxy_adapter/examples/run_security_tests_fixed.py +72 -36
- mcp_proxy_adapter/examples/scripts/config_generator.py +288 -187
- mcp_proxy_adapter/examples/scripts/create_certificates_simple.py +185 -72
- mcp_proxy_adapter/examples/scripts/generate_certificates_and_tokens.py +220 -74
- mcp_proxy_adapter/examples/security_test_client.py +196 -127
- mcp_proxy_adapter/examples/setup_test_environment.py +17 -29
- mcp_proxy_adapter/examples/test_config.py +19 -4
- mcp_proxy_adapter/examples/test_config_generator.py +23 -7
- mcp_proxy_adapter/examples/test_examples.py +84 -56
- mcp_proxy_adapter/examples/universal_client.py +119 -62
- mcp_proxy_adapter/openapi.py +108 -115
- mcp_proxy_adapter/utils/config_generator.py +429 -274
- mcp_proxy_adapter/version.py +1 -2
- {mcp_proxy_adapter-6.3.4.dist-info → mcp_proxy_adapter-6.3.6.dist-info}/METADATA +1 -1
- mcp_proxy_adapter-6.3.6.dist-info/RECORD +144 -0
- mcp_proxy_adapter-6.3.6.dist-info/top_level.txt +2 -0
- mcp_proxy_adapter_issue_package/demonstrate_issue.py +178 -0
- mcp_proxy_adapter-6.3.4.dist-info/RECORD +0 -143
- mcp_proxy_adapter-6.3.4.dist-info/top_level.txt +0 -1
- {mcp_proxy_adapter-6.3.4.dist-info → mcp_proxy_adapter-6.3.6.dist-info}/WHEEL +0 -0
- {mcp_proxy_adapter-6.3.4.dist-info → mcp_proxy_adapter-6.3.6.dist-info}/entry_points.txt +0 -0
- {mcp_proxy_adapter-6.3.4.dist-info → mcp_proxy_adapter-6.3.6.dist-info}/licenses/LICENSE +0 -0
|
@@ -13,15 +13,24 @@ import argparse
|
|
|
13
13
|
import subprocess
|
|
14
14
|
from pathlib import Path
|
|
15
15
|
from typing import Dict, Any, List, Optional
|
|
16
|
+
|
|
16
17
|
# Import mcp_security_framework
|
|
17
18
|
try:
|
|
18
19
|
from mcp_security_framework.core.cert_manager import CertificateManager
|
|
19
|
-
from mcp_security_framework.schemas.config import
|
|
20
|
+
from mcp_security_framework.schemas.config import (
|
|
21
|
+
CertificateConfig,
|
|
22
|
+
CAConfig,
|
|
23
|
+
ServerCertConfig,
|
|
24
|
+
ClientCertConfig,
|
|
25
|
+
)
|
|
20
26
|
from mcp_security_framework.schemas.models import CertificateType
|
|
27
|
+
|
|
21
28
|
SECURITY_FRAMEWORK_AVAILABLE = True
|
|
22
29
|
except ImportError:
|
|
23
30
|
SECURITY_FRAMEWORK_AVAILABLE = False
|
|
24
31
|
print("Warning: mcp_security_framework not available, falling back to OpenSSL")
|
|
32
|
+
|
|
33
|
+
|
|
25
34
|
def generate_ca_certificate(output_dir: str) -> str:
|
|
26
35
|
"""
|
|
27
36
|
Generate CA certificate and key using mcp_security_framework.
|
|
@@ -44,7 +53,7 @@ def generate_ca_certificate(output_dir: str) -> str:
|
|
|
44
53
|
locality="City",
|
|
45
54
|
validity_years=10, # Используем validity_years вместо validity_days
|
|
46
55
|
key_size=2048,
|
|
47
|
-
hash_algorithm="sha256"
|
|
56
|
+
hash_algorithm="sha256",
|
|
48
57
|
)
|
|
49
58
|
# Create certificate manager
|
|
50
59
|
cert_config = CertificateConfig(
|
|
@@ -52,7 +61,7 @@ def generate_ca_certificate(output_dir: str) -> str:
|
|
|
52
61
|
key_storage_path=ca_dir,
|
|
53
62
|
default_validity_days=3650,
|
|
54
63
|
key_size=2048,
|
|
55
|
-
hash_algorithm="sha256"
|
|
64
|
+
hash_algorithm="sha256",
|
|
56
65
|
)
|
|
57
66
|
cert_manager = CertificateManager(cert_config)
|
|
58
67
|
# Create CA certificate
|
|
@@ -71,16 +80,34 @@ def generate_ca_certificate(output_dir: str) -> str:
|
|
|
71
80
|
ca_key = os.path.join(ca_dir, "ca.key")
|
|
72
81
|
ca_cert = os.path.join(ca_dir, "ca.crt")
|
|
73
82
|
# Generate CA private key
|
|
74
|
-
subprocess.run(
|
|
75
|
-
"openssl", "genrsa", "-out", ca_key, "2048"
|
|
76
|
-
|
|
83
|
+
subprocess.run(
|
|
84
|
+
["openssl", "genrsa", "-out", ca_key, "2048"],
|
|
85
|
+
check=True,
|
|
86
|
+
capture_output=True,
|
|
87
|
+
)
|
|
77
88
|
# Generate CA certificate
|
|
78
|
-
subprocess.run(
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
89
|
+
subprocess.run(
|
|
90
|
+
[
|
|
91
|
+
"openssl",
|
|
92
|
+
"req",
|
|
93
|
+
"-new",
|
|
94
|
+
"-x509",
|
|
95
|
+
"-days",
|
|
96
|
+
"365",
|
|
97
|
+
"-key",
|
|
98
|
+
ca_key,
|
|
99
|
+
"-out",
|
|
100
|
+
ca_cert,
|
|
101
|
+
"-subj",
|
|
102
|
+
"/C=US/ST=State/L=City/O=Organization/CN=CA",
|
|
103
|
+
],
|
|
104
|
+
check=True,
|
|
105
|
+
capture_output=True,
|
|
106
|
+
)
|
|
82
107
|
print(f"✅ Generated CA certificate using OpenSSL: {ca_cert}")
|
|
83
108
|
return ca_cert
|
|
109
|
+
|
|
110
|
+
|
|
84
111
|
def generate_server_certificate(output_dir: str, ca_cert: str) -> tuple[str, str]:
|
|
85
112
|
"""
|
|
86
113
|
Generate server certificate and key using mcp_security_framework.
|
|
@@ -98,10 +125,10 @@ def generate_server_certificate(output_dir: str, ca_cert: str) -> tuple[str, str
|
|
|
98
125
|
try:
|
|
99
126
|
# Find CA key file
|
|
100
127
|
ca_key = None
|
|
101
|
-
if ca_cert.endswith(
|
|
102
|
-
ca_key = ca_cert.replace(
|
|
103
|
-
elif ca_cert.endswith(
|
|
104
|
-
ca_key = ca_cert.replace(
|
|
128
|
+
if ca_cert.endswith(".crt"):
|
|
129
|
+
ca_key = ca_cert.replace(".crt", ".key")
|
|
130
|
+
elif ca_cert.endswith(".pem"):
|
|
131
|
+
ca_key = ca_cert.replace(".pem", "_key.pem")
|
|
105
132
|
if not os.path.exists(ca_key):
|
|
106
133
|
print(f"❌ CA key file not found: {ca_key}")
|
|
107
134
|
return None, None
|
|
@@ -116,9 +143,12 @@ def generate_server_certificate(output_dir: str, ca_cert: str) -> tuple[str, str
|
|
|
116
143
|
validity_days=365,
|
|
117
144
|
key_size=2048,
|
|
118
145
|
hash_algorithm="sha256",
|
|
119
|
-
subject_alt_names=[
|
|
146
|
+
subject_alt_names=[
|
|
147
|
+
"localhost",
|
|
148
|
+
"127.0.0.1",
|
|
149
|
+
], # Используем subject_alt_names вместо san_dns
|
|
120
150
|
ca_cert_path=ca_cert,
|
|
121
|
-
ca_key_path=ca_key
|
|
151
|
+
ca_key_path=ca_key,
|
|
122
152
|
)
|
|
123
153
|
# Create certificate manager
|
|
124
154
|
cert_config = CertificateConfig(
|
|
@@ -126,7 +156,7 @@ def generate_server_certificate(output_dir: str, ca_cert: str) -> tuple[str, str
|
|
|
126
156
|
key_storage_path=keys_dir,
|
|
127
157
|
default_validity_days=365,
|
|
128
158
|
key_size=2048,
|
|
129
|
-
hash_algorithm="sha256"
|
|
159
|
+
hash_algorithm="sha256",
|
|
130
160
|
)
|
|
131
161
|
cert_manager = CertificateManager(cert_config)
|
|
132
162
|
# Create server certificate
|
|
@@ -135,7 +165,9 @@ def generate_server_certificate(output_dir: str, ca_cert: str) -> tuple[str, str
|
|
|
135
165
|
print(f"✅ Generated server certificate using mcp_security_framework")
|
|
136
166
|
return (cert_pair.certificate_path, cert_pair.private_key_path)
|
|
137
167
|
else:
|
|
138
|
-
print(
|
|
168
|
+
print(
|
|
169
|
+
f"❌ Failed to create server certificate: Invalid certificate pair"
|
|
170
|
+
)
|
|
139
171
|
return None, None
|
|
140
172
|
except Exception as e:
|
|
141
173
|
print(f"❌ Error creating server certificate with framework: {e}")
|
|
@@ -147,25 +179,61 @@ def generate_server_certificate(output_dir: str, ca_cert: str) -> tuple[str, str
|
|
|
147
179
|
server_csr = os.path.join(certs_dir, "server.csr")
|
|
148
180
|
server_cert = os.path.join(certs_dir, "server.crt")
|
|
149
181
|
# Generate server private key
|
|
150
|
-
subprocess.run(
|
|
151
|
-
"openssl", "genrsa", "-out", server_key, "2048"
|
|
152
|
-
|
|
182
|
+
subprocess.run(
|
|
183
|
+
["openssl", "genrsa", "-out", server_key, "2048"],
|
|
184
|
+
check=True,
|
|
185
|
+
capture_output=True,
|
|
186
|
+
)
|
|
153
187
|
# Generate server certificate signing request
|
|
154
|
-
subprocess.run(
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
188
|
+
subprocess.run(
|
|
189
|
+
[
|
|
190
|
+
"openssl",
|
|
191
|
+
"req",
|
|
192
|
+
"-new",
|
|
193
|
+
"-key",
|
|
194
|
+
server_key,
|
|
195
|
+
"-out",
|
|
196
|
+
server_csr,
|
|
197
|
+
"-subj",
|
|
198
|
+
"/C=US/ST=State/L=City/O=Organization/CN=localhost",
|
|
199
|
+
],
|
|
200
|
+
check=True,
|
|
201
|
+
capture_output=True,
|
|
202
|
+
)
|
|
158
203
|
# Sign server certificate with CA
|
|
159
|
-
subprocess.run(
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
204
|
+
subprocess.run(
|
|
205
|
+
[
|
|
206
|
+
"openssl",
|
|
207
|
+
"x509",
|
|
208
|
+
"-req",
|
|
209
|
+
"-in",
|
|
210
|
+
server_csr,
|
|
211
|
+
"-CA",
|
|
212
|
+
ca_cert,
|
|
213
|
+
"-CAkey",
|
|
214
|
+
ca_key,
|
|
215
|
+
"-CAcreateserial",
|
|
216
|
+
"-out",
|
|
217
|
+
server_cert,
|
|
218
|
+
"-days",
|
|
219
|
+
"365",
|
|
220
|
+
],
|
|
221
|
+
check=True,
|
|
222
|
+
capture_output=True,
|
|
223
|
+
)
|
|
163
224
|
# Clean up CSR
|
|
164
225
|
os.remove(server_csr)
|
|
165
226
|
print(f"✅ Generated server certificate using OpenSSL: {server_cert}")
|
|
166
227
|
return server_cert, server_key
|
|
167
|
-
|
|
168
|
-
|
|
228
|
+
|
|
229
|
+
|
|
230
|
+
def generate_client_certificate(
|
|
231
|
+
output_dir: str,
|
|
232
|
+
ca_cert: str,
|
|
233
|
+
client_name: str = "client",
|
|
234
|
+
roles: List[str] = None,
|
|
235
|
+
permissions: List[str] = None,
|
|
236
|
+
) -> tuple[str, str]:
|
|
169
237
|
"""
|
|
170
238
|
Generate client certificate and key using mcp_security_framework.
|
|
171
239
|
Args:
|
|
@@ -185,10 +253,10 @@ def generate_client_certificate(output_dir: str, ca_cert: str, client_name: str
|
|
|
185
253
|
try:
|
|
186
254
|
# Find CA key file
|
|
187
255
|
ca_key = None
|
|
188
|
-
if ca_cert.endswith(
|
|
189
|
-
ca_key = ca_cert.replace(
|
|
190
|
-
elif ca_cert.endswith(
|
|
191
|
-
ca_key = ca_cert.replace(
|
|
256
|
+
if ca_cert.endswith(".crt"):
|
|
257
|
+
ca_key = ca_cert.replace(".crt", ".key")
|
|
258
|
+
elif ca_cert.endswith(".pem"):
|
|
259
|
+
ca_key = ca_cert.replace(".pem", "_key.pem")
|
|
192
260
|
if not os.path.exists(ca_key):
|
|
193
261
|
print(f"❌ CA key file not found: {ca_key}")
|
|
194
262
|
return None, None
|
|
@@ -206,7 +274,7 @@ def generate_client_certificate(output_dir: str, ca_cert: str, client_name: str
|
|
|
206
274
|
roles=roles or [],
|
|
207
275
|
permissions=permissions or [],
|
|
208
276
|
ca_cert_path=ca_cert,
|
|
209
|
-
ca_key_path=ca_key
|
|
277
|
+
ca_key_path=ca_key,
|
|
210
278
|
)
|
|
211
279
|
# Create certificate manager
|
|
212
280
|
cert_config = CertificateConfig(
|
|
@@ -214,19 +282,25 @@ def generate_client_certificate(output_dir: str, ca_cert: str, client_name: str
|
|
|
214
282
|
key_storage_path=keys_dir,
|
|
215
283
|
default_validity_days=730,
|
|
216
284
|
key_size=2048,
|
|
217
|
-
hash_algorithm="sha256"
|
|
285
|
+
hash_algorithm="sha256",
|
|
218
286
|
)
|
|
219
287
|
cert_manager = CertificateManager(cert_config)
|
|
220
288
|
# Create client certificate
|
|
221
289
|
cert_pair = cert_manager.create_client_certificate(client_config)
|
|
222
290
|
if cert_pair and cert_pair.certificate_path and cert_pair.private_key_path:
|
|
223
|
-
print(
|
|
291
|
+
print(
|
|
292
|
+
f"✅ Generated client certificate {client_name} using mcp_security_framework"
|
|
293
|
+
)
|
|
224
294
|
return (cert_pair.certificate_path, cert_pair.private_key_path)
|
|
225
295
|
else:
|
|
226
|
-
print(
|
|
296
|
+
print(
|
|
297
|
+
f"❌ Failed to create client certificate {client_name}: Invalid certificate pair"
|
|
298
|
+
)
|
|
227
299
|
return None, None
|
|
228
300
|
except Exception as e:
|
|
229
|
-
print(
|
|
301
|
+
print(
|
|
302
|
+
f"❌ Error creating client certificate {client_name} with framework: {e}"
|
|
303
|
+
)
|
|
230
304
|
return None, None
|
|
231
305
|
else:
|
|
232
306
|
# Fallback to OpenSSL
|
|
@@ -235,23 +309,56 @@ def generate_client_certificate(output_dir: str, ca_cert: str, client_name: str
|
|
|
235
309
|
client_csr = os.path.join(certs_dir, f"{client_name}.csr")
|
|
236
310
|
client_cert = os.path.join(certs_dir, f"{client_name}.crt")
|
|
237
311
|
# Generate client private key
|
|
238
|
-
subprocess.run(
|
|
239
|
-
"openssl", "genrsa", "-out", client_key, "2048"
|
|
240
|
-
|
|
312
|
+
subprocess.run(
|
|
313
|
+
["openssl", "genrsa", "-out", client_key, "2048"],
|
|
314
|
+
check=True,
|
|
315
|
+
capture_output=True,
|
|
316
|
+
)
|
|
241
317
|
# Generate client certificate signing request
|
|
242
|
-
subprocess.run(
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
318
|
+
subprocess.run(
|
|
319
|
+
[
|
|
320
|
+
"openssl",
|
|
321
|
+
"req",
|
|
322
|
+
"-new",
|
|
323
|
+
"-key",
|
|
324
|
+
client_key,
|
|
325
|
+
"-out",
|
|
326
|
+
client_csr,
|
|
327
|
+
"-subj",
|
|
328
|
+
f"/C=US/ST=State/L=City/O=Organization/CN={client_name}-client",
|
|
329
|
+
],
|
|
330
|
+
check=True,
|
|
331
|
+
capture_output=True,
|
|
332
|
+
)
|
|
246
333
|
# Sign client certificate with CA
|
|
247
|
-
subprocess.run(
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
334
|
+
subprocess.run(
|
|
335
|
+
[
|
|
336
|
+
"openssl",
|
|
337
|
+
"x509",
|
|
338
|
+
"-req",
|
|
339
|
+
"-in",
|
|
340
|
+
client_csr,
|
|
341
|
+
"-CA",
|
|
342
|
+
ca_cert,
|
|
343
|
+
"-CAkey",
|
|
344
|
+
ca_key,
|
|
345
|
+
"-CAcreateserial",
|
|
346
|
+
"-out",
|
|
347
|
+
client_cert,
|
|
348
|
+
"-days",
|
|
349
|
+
"730",
|
|
350
|
+
],
|
|
351
|
+
check=True,
|
|
352
|
+
capture_output=True,
|
|
353
|
+
)
|
|
251
354
|
# Clean up CSR
|
|
252
355
|
os.remove(client_csr)
|
|
253
|
-
print(
|
|
356
|
+
print(
|
|
357
|
+
f"✅ Generated client certificate {client_name} using OpenSSL: {client_cert}"
|
|
358
|
+
)
|
|
254
359
|
return client_cert, client_key
|
|
360
|
+
|
|
361
|
+
|
|
255
362
|
def generate_tokens(output_dir: str) -> Dict[str, str]:
|
|
256
363
|
"""
|
|
257
364
|
Generate API tokens for different roles.
|
|
@@ -267,14 +374,16 @@ def generate_tokens(output_dir: str) -> Dict[str, str]:
|
|
|
267
374
|
"user": "user-token-456",
|
|
268
375
|
"readonly": "readonly-token-123",
|
|
269
376
|
"guest": "guest-token-123",
|
|
270
|
-
"proxy": "proxy-token-123"
|
|
377
|
+
"proxy": "proxy-token-123",
|
|
271
378
|
}
|
|
272
379
|
# Save tokens to file
|
|
273
380
|
tokens_file = os.path.join(tokens_dir, "tokens.json")
|
|
274
|
-
with open(tokens_file,
|
|
381
|
+
with open(tokens_file, "w") as f:
|
|
275
382
|
json.dump(tokens, f, indent=2)
|
|
276
383
|
print(f"✅ Generated tokens: {tokens_file}")
|
|
277
384
|
return tokens
|
|
385
|
+
|
|
386
|
+
|
|
278
387
|
def generate_roles_config(output_dir: str) -> Dict[str, Any]:
|
|
279
388
|
"""
|
|
280
389
|
Generate roles configuration file.
|
|
@@ -285,37 +394,54 @@ def generate_roles_config(output_dir: str) -> Dict[str, Any]:
|
|
|
285
394
|
"""
|
|
286
395
|
roles_config = {
|
|
287
396
|
"admin": {
|
|
288
|
-
"permissions": [
|
|
289
|
-
|
|
397
|
+
"permissions": [
|
|
398
|
+
"read",
|
|
399
|
+
"write",
|
|
400
|
+
"execute",
|
|
401
|
+
"delete",
|
|
402
|
+
"admin",
|
|
403
|
+
"register",
|
|
404
|
+
"unregister",
|
|
405
|
+
"heartbeat",
|
|
406
|
+
"discover",
|
|
407
|
+
],
|
|
408
|
+
"tokens": [],
|
|
290
409
|
},
|
|
291
410
|
"user": {
|
|
292
|
-
"permissions": [
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
"
|
|
301
|
-
"tokens": []
|
|
411
|
+
"permissions": [
|
|
412
|
+
"read",
|
|
413
|
+
"execute",
|
|
414
|
+
"register",
|
|
415
|
+
"unregister",
|
|
416
|
+
"heartbeat",
|
|
417
|
+
"discover",
|
|
418
|
+
],
|
|
419
|
+
"tokens": [],
|
|
302
420
|
},
|
|
421
|
+
"readonly": {"permissions": ["read", "discover"], "tokens": []},
|
|
422
|
+
"guest": {"permissions": ["read", "discover"], "tokens": []},
|
|
303
423
|
"proxy": {
|
|
304
424
|
"permissions": ["register", "unregister", "heartbeat", "discover"],
|
|
305
|
-
"tokens": []
|
|
306
|
-
}
|
|
425
|
+
"tokens": [],
|
|
426
|
+
},
|
|
307
427
|
}
|
|
308
428
|
# Save roles config to file
|
|
309
429
|
roles_file = os.path.join(output_dir, "roles.json")
|
|
310
|
-
with open(roles_file,
|
|
430
|
+
with open(roles_file, "w") as f:
|
|
311
431
|
json.dump(roles_config, f, indent=2)
|
|
312
432
|
print(f"✅ Generated roles configuration: {roles_file}")
|
|
313
433
|
return roles_config
|
|
434
|
+
|
|
435
|
+
|
|
314
436
|
def main():
|
|
315
437
|
"""Main function for certificate and token generation."""
|
|
316
438
|
parser = argparse.ArgumentParser(description="Generate certificates and tokens")
|
|
317
|
-
parser.add_argument(
|
|
318
|
-
|
|
439
|
+
parser.add_argument(
|
|
440
|
+
"--output-dir", "-o", default="./certs", help="Output directory"
|
|
441
|
+
)
|
|
442
|
+
parser.add_argument(
|
|
443
|
+
"--framework", action="store_true", help="Use mcp_security_framework"
|
|
444
|
+
)
|
|
319
445
|
args = parser.parse_args()
|
|
320
446
|
print("🔐 Certificate and Token Generation Script")
|
|
321
447
|
print("=" * 50)
|
|
@@ -340,11 +466,29 @@ def main():
|
|
|
340
466
|
# 3. Generate client certificates
|
|
341
467
|
print("\n🔧 Generating client certificates...")
|
|
342
468
|
client_configs = [
|
|
343
|
-
(
|
|
344
|
-
|
|
469
|
+
(
|
|
470
|
+
"admin",
|
|
471
|
+
["admin"],
|
|
472
|
+
[
|
|
473
|
+
"read",
|
|
474
|
+
"write",
|
|
475
|
+
"execute",
|
|
476
|
+
"delete",
|
|
477
|
+
"admin",
|
|
478
|
+
"register",
|
|
479
|
+
"unregister",
|
|
480
|
+
"heartbeat",
|
|
481
|
+
"discover",
|
|
482
|
+
],
|
|
483
|
+
),
|
|
484
|
+
(
|
|
485
|
+
"user",
|
|
486
|
+
["user"],
|
|
487
|
+
["read", "execute", "register", "unregister", "heartbeat", "discover"],
|
|
488
|
+
),
|
|
345
489
|
("readonly", ["readonly"], ["read", "discover"]),
|
|
346
490
|
("guest", ["guest"], ["read", "discover"]),
|
|
347
|
-
("proxy", ["proxy"], ["register", "unregister", "heartbeat", "discover"])
|
|
491
|
+
("proxy", ["proxy"], ["register", "unregister", "heartbeat", "discover"]),
|
|
348
492
|
]
|
|
349
493
|
for client_name, roles, permissions in client_configs:
|
|
350
494
|
client_cert, client_key = generate_client_certificate(
|
|
@@ -365,5 +509,7 @@ def main():
|
|
|
365
509
|
except Exception as e:
|
|
366
510
|
print(f"❌ Error during generation: {e}")
|
|
367
511
|
return 1
|
|
512
|
+
|
|
513
|
+
|
|
368
514
|
if __name__ == "__main__":
|
|
369
515
|
exit(main())
|