mcp-proxy-adapter 6.4.43__py3-none-any.whl → 6.4.45__py3-none-any.whl

mcp_proxy_adapter/examples/security_test_client.py

@@ -30,14 +30,16 @@ sys.path.insert(0, str(current_dir))
 
 # Import mcp_security_framework components
 try:
-    from mcp_security_framework import SSLManager
-    from mcp_security_framework.schemas.config import SSLConfig
+    from mcp_security_framework import SecurityManager, SecurityConfig, AuthConfig, PermissionConfig, SSLConfig
+    from mcp_security_framework.schemas.config import SSLConfig as SSLConfigSchema
 
     _MCP_SECURITY_AVAILABLE = True
     print("✅ mcp_security_framework available")
-except ImportError:
-    _MCP_SECURITY_AVAILABLE = False
-    print("⚠️ mcp_security_framework not available, falling back to standard SSL")
+except ImportError as e:
+    print(f"❌ CRITICAL ERROR: mcp_security_framework is required but not available!")
+    print(f"❌ Import error: {e}")
+    print("❌ Please install mcp_security_framework: pip install mcp_security_framework")
+    raise ImportError("mcp_security_framework is required for security tests") from e
 
 # Import cryptography components
 try:
@@ -75,23 +77,19 @@ class SecurityTestClient:
         self.cert_manager = None
         self._security_available = _MCP_SECURITY_AVAILABLE
         self._crypto_available = _CRYPTOGRAPHY_AVAILABLE
+        
+        # Authentication configuration
+        self.auth_enabled = False
+        self.auth_methods = []
+        self.api_keys = {}
+        self.roles_file = None
 
         if self._security_available:
-            try:
-                # Initialize SSL manager with default config
-                ssl_config = SSLConfig(
-                    enabled=True,
-                    cert_file=None,
-                    key_file=None,
-                    ca_cert_file=None,
-                    verify_mode="CERT_NONE",  # For testing
-                    min_tls_version="TLSv1.2",
-                )
-                self.ssl_manager = SSLManager(ssl_config)
-                print("✅ SSL Manager initialized with mcp_security_framework")
-            except Exception as e:
-                print(f"⚠️ Failed to initialize SSL Manager: {e}")
-                self._security_available = False
+            # For testing purposes, we don't initialize SecurityManager
+            # because we're testing server configurations, not the framework itself
+            # SecurityManager will be used only when actually needed by the server
+            self.ssl_manager = None
+            print("✅ mcp_security_framework available for testing")
 
         if not self._security_available:
             print("ℹ️ Using standard SSL library for testing")
@@ -114,7 +112,7 @@ class SecurityTestClient:
             },
             "user": {
                 "cert": "certs/user_cert.pem",
-                "key": "certs/user_key.pem",
+                "key": "keys/user_key.pem",
             },
             "readonly": {
                 "cert": "certs/readonly_cert.pem",
@@ -122,52 +120,48 @@ class SecurityTestClient:
             },
         }
 
-    async def __aenter__(self):
-        """Async context manager entry."""
-        timeout = ClientTimeout(total=30)
-        # Create SSL context for HTTPS connections
-        ssl_context = self.create_ssl_context()
-        connector = TCPConnector(ssl=ssl_context)
-        self.session = ClientSession(timeout=timeout, connector=connector)
-        return self
-
     def create_ssl_context_for_mtls(self) -> ssl.SSLContext:
         """Create SSL context for mTLS connections."""
-        if self.ssl_manager and self._security_available:
-            try:
-                # Use mcp_security_framework for mTLS
-                cert_file = "./certs/user_cert.pem"
-                key_file = "./certs/user_key.pem"
-                ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
-
-                return self.ssl_manager.create_client_context(
-                    ca_cert_file=ca_cert_file if os.path.exists(ca_cert_file) else None,
-                    client_cert_file=cert_file if os.path.exists(cert_file) else None,
-                    client_key_file=key_file if os.path.exists(key_file) else None,
-                    verify_mode="CERT_NONE",  # For testing
-                    min_version="TLSv1.2",
-                )
-            except Exception as e:
-                print(
-                    f"⚠️ Failed to create mTLS context with mcp_security_framework: {e}"
-                )
-                print("ℹ️ Falling back to standard SSL")
+        # For mTLS, we need client certificates - check if they exist
+        cert_file = "./certs/user_cert.pem"
+        key_file = "./keys/user_key.pem"
+        ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
+        
+        # CRITICAL: For mTLS, certificates are REQUIRED
+        if not os.path.exists(cert_file):
+            raise FileNotFoundError(f"CRITICAL ERROR: mTLS client certificate not found: {cert_file}")
+        if not os.path.exists(key_file):
+            raise FileNotFoundError(f"CRITICAL ERROR: mTLS client key not found: {key_file}")
+        
+        # For testing, we use standard SSL library
+        # SecurityManager is not initialized for testing purposes
 
-        # Fallback to standard SSL
+        # Use standard SSL library for testing
         ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
         # For mTLS testing - client needs to present certificate to server
         ssl_context.check_hostname = False
         ssl_context.verify_mode = ssl.CERT_NONE  # Don't verify server cert for testing
-        # Load client certificate and key for mTLS
-        cert_file = "./certs/user_cert.pem"
-        key_file = "./certs/user_key.pem"
-        ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
-        if os.path.exists(cert_file) and os.path.exists(key_file):
-            ssl_context.load_cert_chain(certfile=cert_file, keyfile=key_file)
+        # Load client certificate and key for mTLS (we already checked they exist)
+        ssl_context.load_cert_chain(certfile=cert_file, keyfile=key_file)
         if os.path.exists(ca_cert_file):
             ssl_context.load_verify_locations(cafile=ca_cert_file)
         return ssl_context
 
+    async def __aenter__(self):
+        """Async context manager entry."""
+        timeout = ClientTimeout(total=30)
+        # Create SSL context only for HTTPS URLs
+        if self.base_url.startswith('https://'):
+            ssl_context = self.create_ssl_context()
+            connector = TCPConnector(ssl=ssl_context)
+        else:
+            # For HTTP URLs, use default connector without SSL
+            connector = TCPConnector()
+        
+        # Create session
+        self.session = ClientSession(timeout=timeout, connector=connector)
+        return self
+
     async def __aexit__(self, exc_type, exc_val, exc_tb):
         """Async context manager exit."""
         if self.session:
@@ -180,31 +174,18 @@ class SecurityTestClient:
         ca_cert_file: Optional[str] = None,
     ) -> ssl.SSLContext:
         """Create SSL context for client."""
-        if self.ssl_manager and self._security_available:
-            try:
-                # Use mcp_security_framework for SSL context creation
-                return self.ssl_manager.create_client_context(
-                    ca_cert_file=(
-                        ca_cert_file
-                        if ca_cert_file and os.path.exists(ca_cert_file)
-                        else None
-                    ),
-                    client_cert_file=(
-                        cert_file if cert_file and os.path.exists(cert_file) else None
-                    ),
-                    client_key_file=(
-                        key_file if key_file and os.path.exists(key_file) else None
-                    ),
-                    verify_mode="CERT_NONE",  # For testing
-                    min_version="TLSv1.2",
-                )
-            except Exception as e:
-                print(
-                    f"⚠️ Failed to create SSL context with mcp_security_framework: {e}"
-                )
-                print("ℹ️ Falling back to standard SSL")
+        # If certificates are provided, they must exist
+        if cert_file and not os.path.exists(cert_file):
+            raise FileNotFoundError(f"CRITICAL ERROR: SSL certificate not found: {cert_file}")
+        if key_file and not os.path.exists(key_file):
+            raise FileNotFoundError(f"CRITICAL ERROR: SSL key not found: {key_file}")
+        if ca_cert_file and not os.path.exists(ca_cert_file):
+            raise FileNotFoundError(f"CRITICAL ERROR: SSL CA certificate not found: {ca_cert_file}")
+        
+        # For testing, we use standard SSL library
+        # SecurityManager is not initialized for testing purposes
 
-        # Fallback to standard SSL
+        # Use standard SSL library for testing
         ssl_context = ssl.create_default_context()
         # For testing with self-signed certificates
         ssl_context.check_hostname = False
@@ -396,9 +377,9 @@ class SecurityTestClient:
     async def test_authentication(self) -> TestResult:
         """Test authentication."""
         if "api_key" in self.auth_methods:
-            # Use first available API key
-            api_key = next(iter(self.api_keys.keys()), "test-token-123")
-            return await self.test_echo_command(self.base_url, "api_key", token=api_key)
+            # Use admin API key value, not the key name
+            api_key_value = self.api_keys.get("admin", "admin-secret-key")
+            return await self.test_echo_command(self.base_url, "api_key", token=api_key_value)
         elif "certificate" in self.auth_methods:
             # For certificate auth, test with client certificate
             return await self.test_echo_command(self.base_url, "certificate")
@@ -413,9 +394,78 @@ class SecurityTestClient:
 
     async def test_negative_authentication(self) -> TestResult:
         """Test negative authentication (should fail)."""
-        return await self.test_echo_command(
-            self.base_url, "api_key", token="invalid-token"
-        )
+        start_time = time.time()
+        test_name = "Negative Authentication Test"
+        try:
+            headers = self.create_auth_headers("api_key", token="invalid-token")
+            data = {
+                "jsonrpc": "2.0",
+                "method": "echo",
+                "params": {"message": "Should fail with invalid token"},
+                "id": 1,
+            }
+            async with self.session.post(
+                f"{self.base_url}/cmd", headers=headers, json=data
+            ) as response:
+                duration = time.time() - start_time
+                
+                # Check if API key authentication is enabled
+                api_key_auth_enabled = self.auth_enabled and "api_key" in self.auth_methods
+                
+                if api_key_auth_enabled:
+                    # For configurations with API key auth, 401 is expected (success)
+                    if response.status == 401:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=True,
+                            status_code=response.status,
+                            response_data={"expected": "authentication_failure"},
+                            duration=duration,
+                        )
+                    else:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=False,
+                            status_code=response.status,
+                            error_message=f"Expected 401 Unauthorized, got {response.status}",
+                            duration=duration,
+                        )
+                else:
+                    # For configurations without API key auth, 200 is expected (success)
+                    if response.status == 200:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=True,
+                            status_code=response.status,
+                            response_data={"expected": "no_auth_required"},
+                            duration=duration,
+                        )
+                    else:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=False,
+                            status_code=response.status,
+                            error_message=f"Expected 200 OK (no auth required), got {response.status}",
+                            duration=duration,
+                        )
+        except Exception as e:
+            duration = time.time() - start_time
+            return TestResult(
+                test_name=test_name,
+                server_url=self.base_url,
+                auth_type="api_key",
+                success=False,
+                error_message=f"Negative auth test error: {str(e)}",
+                duration=duration,
+            )
 
     async def test_no_auth_required(self) -> TestResult:
         """Test that no authentication is required."""
@@ -821,6 +871,203 @@ class SecurityTestClient:
                 print(f"  - {result.test_name} ({result.server_url})")
 
 
+    async def test_health(self) -> TestResult:
+        """Test health check endpoint."""
+        return await self.test_health_check(self.base_url, "none")
+
+    async def test_command_execution(self) -> TestResult:
+        """Test command execution."""
+        if self.auth_enabled and "api_key" in self.auth_methods:
+            # Use admin API key value, not the key name
+            api_key_value = self.api_keys.get("admin", "admin-secret-key")
+            return await self.test_echo_command(self.base_url, "api_key", token=api_key_value)
+        else:
+            return await self.test_echo_command(self.base_url, "none")
+
+    async def test_authentication(self) -> TestResult:
+        """Test authentication."""
+        if "api_key" in self.auth_methods:
+            # Use admin API key value, not the key name
+            api_key_value = self.api_keys.get("admin", "admin-secret-key")
+            return await self.test_echo_command(self.base_url, "api_key", token=api_key_value)
+        elif "certificate" in self.auth_methods:
+            # For certificate auth, test with client certificate
+            return await self.test_echo_command(self.base_url, "certificate")
+        else:
+            return TestResult(
+                test_name="Authentication Test",
+                server_url=self.base_url,
+                auth_type="none",
+                success=False,
+                error_message="No authentication method available",
+            )
+
+    async def test_negative_authentication(self) -> TestResult:
+        """Test negative authentication (should fail)."""
+        start_time = time.time()
+        test_name = "Negative Authentication Test"
+        try:
+            headers = self.create_auth_headers("api_key", token="invalid-token")
+            data = {
+                "jsonrpc": "2.0",
+                "method": "echo",
+                "params": {"message": "Should fail with invalid token"},
+                "id": 1,
+            }
+            async with self.session.post(
+                f"{self.base_url}/cmd", headers=headers, json=data
+            ) as response:
+                duration = time.time() - start_time
+                
+                # Check if API key authentication is enabled
+                api_key_auth_enabled = self.auth_enabled and "api_key" in self.auth_methods
+                
+                if api_key_auth_enabled:
+                    # For configurations with API key auth, 401 is expected (success)
+                    if response.status == 401:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=True,
+                            status_code=response.status,
+                            response_data={"expected": "authentication_failure"},
+                            duration=duration,
+                        )
+                    else:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=False,
+                            status_code=response.status,
+                            error_message=f"Expected 401 Unauthorized, got {response.status}",
+                            duration=duration,
+                        )
+                else:
+                    # For configurations without API key auth, 200 is expected (success)
+                    if response.status == 200:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=True,
+                            status_code=response.status,
+                            response_data={"expected": "no_auth_required"},
+                            duration=duration,
+                        )
+                    else:
+                        return TestResult(
+                            test_name=test_name,
+                            server_url=self.base_url,
+                            auth_type="api_key",
+                            success=False,
+                            status_code=response.status,
+                            error_message=f"Expected 200 OK (no auth required), got {response.status}",
+                            duration=duration,
+                        )
+        except Exception as e:
+            duration = time.time() - start_time
+            return TestResult(
+                test_name=test_name,
+                server_url=self.base_url,
+                auth_type="api_key",
+                success=False,
+                error_message=f"Negative auth test error: {str(e)}",
+                duration=duration,
+            )
+
+    async def test_no_auth_required(self) -> TestResult:
+        """Test that no authentication is required."""
+        return await self.test_echo_command(self.base_url, "none")
+
+    async def test_role_based_access(self, server_url: str, auth_type: str, role: str = "admin") -> TestResult:
+        """Test role-based access control."""
+        if not self.roles_file:
+            return TestResult(
+                test_name="Role-Based Access Test",
+                server_url=server_url,
+                auth_type=auth_type,
+                success=False,
+                error_message="Role-based access error: role is required for role-based access test",
+            )
+        
+        # Use admin role for testing
+        if auth_type == "api_key":
+            api_key_value = self.api_keys.get("admin", "admin-secret-key")
+            return await self.test_echo_command(server_url, auth_type, token=api_key_value, role=role)
+        else:
+            return await self.test_echo_command(server_url, auth_type, role=role)
+
+    async def test_role_permissions(self, server_url: str, auth_type: str, role: str = "admin", action: str = "read") -> TestResult:
+        """Test role permissions."""
+        if not self.roles_file:
+            return TestResult(
+                test_name="Role Permissions Test",
+                server_url=server_url,
+                auth_type=auth_type,
+                success=False,
+                error_message="Role permissions test error: role is required for role permissions test",
+            )
+        
+        # Test with admin role
+        if auth_type == "api_key":
+            api_key_value = self.api_keys.get("admin", "admin-secret-key")
+            return await self.test_echo_command(server_url, auth_type, token=api_key_value, role=role)
+        else:
+            return await self.test_echo_command(server_url, auth_type, role=role)
+
+    async def test_multiple_roles(self, server_url: str, auth_type: str) -> TestResult:
+        """Test multiple roles."""
+        # Test with readonly role (should have read access)
+        if auth_type == "api_key":
+            api_key_value = self.api_keys.get("readonly", "readonly-token-123")
+            result = await self.test_echo_command(server_url, auth_type, token=api_key_value, role="readonly")
+            if result.success:
+                return TestResult(
+                    test_name="Multiple Roles Test",
+                    server_url=server_url,
+                    auth_type=auth_type,
+                    success=True,
+                    response_data={"message": "Readonly role correctly has read access"},
+                )
+            else:
+                return TestResult(
+                    test_name="Multiple Roles Test",
+                    server_url=server_url,
+                    auth_type=auth_type,
+                    success=False,
+                    error_message="Readonly role incorrectly denied read access",
+                )
+        elif auth_type == "certificate":
+            # For certificate auth, test with user certificate (should have read access)
+            result = await self.test_echo_command(server_url, auth_type, role="user")
+            if result.success:
+                return TestResult(
+                    test_name="Multiple Roles Test",
+                    server_url=server_url,
+                    auth_type=auth_type,
+                    success=True,
+                    response_data={"message": "User certificate correctly has read access"},
+                )
+            else:
+                return TestResult(
+                    test_name="Multiple Roles Test",
+                    server_url=server_url,
+                    auth_type=auth_type,
+                    success=False,
+                    error_message="User certificate incorrectly denied read access",
+                )
+        else:
+            return TestResult(
+                test_name="Multiple Roles Test",
+                server_url=server_url,
+                auth_type=auth_type,
+                success=False,
+                error_message="Multiple roles test not implemented for this auth type",
+            )
+
+
 async def main():
     """Main function."""
     import argparse