mcp-proxy-adapter 6.4.47__py3-none-any.whl → 6.6.0__py3-none-any.whl

mcp_proxy_adapter/core/security_integration.py

@@ -88,53 +88,42 @@ class SecurityIntegration:
         # self.config is already the security section passed from unified_security.py
         security_section = self.config
 
-        # Create SSL config
+        # Create SSL config - SSL is handled by server protocol, not security config
         ssl_config = SSLConfig(
-            enabled=security_section.get("ssl", {}).get("enabled", False),
-            cert_file=security_section.get("ssl", {}).get("cert_file"),
-            key_file=security_section.get("ssl", {}).get("key_file"),
-            ca_cert_file=security_section.get("ssl", {}).get("ca_cert_file"),
-            client_cert_file=security_section.get("ssl", {}).get("client_cert_file"),
-            client_key_file=security_section.get("ssl", {}).get("client_key_file"),
-            verify_mode=security_section.get("ssl", {}).get(
-                "verify_mode", "CERT_REQUIRED"
-            ),
-            min_tls_version=security_section.get("ssl", {}).get(
-                "min_tls_version", "TLSv1.2"
-            ),
-            check_hostname=security_section.get("ssl", {}).get("check_hostname", True),
-            check_expiry=security_section.get("ssl", {}).get("check_expiry", True),
-            expiry_warning_days=security_section.get("ssl", {}).get(
-                "expiry_warning_days", 30
-            ),
+            enabled=False,  # SSL is handled by server protocol
+            cert_file=None,
+            key_file=None,
+            ca_cert_file=None,
+            client_cert_file=None,
+            client_key_file=None,
+            verify_mode="CERT_REQUIRED",
+            min_tls_version="TLSv1.2",
+            check_hostname=True,
+            check_expiry=True,
+            expiry_warning_days=30,
         )
 
-        # Create auth config
+        # Create auth config - use new simplified structure
         auth_config = AuthConfig(
-            enabled=security_section.get("auth", {}).get("enabled", True),
-            methods=security_section.get("auth", {}).get("methods", ["api_key"]),
-            api_keys=security_section.get("auth", {}).get("api_keys", {}),
-            user_roles=security_section.get("auth", {}).get("user_roles", {}),
-            jwt_secret=security_section.get("auth", {}).get("jwt_secret"),
-            jwt_algorithm=security_section.get("auth", {}).get(
-                "jwt_algorithm", "HS256"
-            ),
-            jwt_expiry_hours=security_section.get("auth", {}).get(
-                "jwt_expiry_hours", 24
-            ),
-            certificate_auth=security_section.get("auth", {}).get(
-                "certificate_auth", False
-            ),
-            public_paths=security_section.get("auth", {}).get("public_paths", []),
+            enabled=security_section.get("enabled", True),
+            methods=["api_key"],  # Use token-based authentication
+            api_keys=security_section.get("tokens", {}),
+            user_roles={},  # Will be handled by permissions
+            jwt_secret=None,
+            jwt_algorithm="HS256",
+            jwt_expiry_hours=24,
+            certificate_auth=False,
+            public_paths=[],
         )
 
-        # Create permission config - handle null values properly
-        permissions_section = security_section.get("permissions", {})
-        permissions_enabled = permissions_section.get("enabled", True)
+        # Create permission config - use new simplified structure
+        roles = security_section.get("roles", {})
+        roles_file = security_section.get("roles_file")
+        
+        # Enable permissions if we have roles or roles_file
+        permissions_enabled = bool(roles or roles_file)
 
         if permissions_enabled:
-            roles_file = permissions_section.get("roles_file")
-
             # If roles_file is None or empty string, don't pass it to avoid framework errors
             if roles_file is None or roles_file == "":
                 logger.warning(
@@ -145,20 +134,14 @@ class SecurityIntegration:
             permission_config = PermissionConfig(
                 enabled=True,
                 roles_file=roles_file,
-                default_role=permissions_section.get("default_role", "guest"),
-                admin_role=permissions_section.get("admin_role", "admin"),
-                role_hierarchy=permissions_section.get("role_hierarchy", {}),
-                permission_cache_enabled=permissions_section.get(
-                    "permission_cache_enabled", True
-                ),
-                permission_cache_ttl=permissions_section.get(
-                    "permission_cache_ttl", 300
-                ),
-                wildcard_permissions=permissions_section.get(
-                    "wildcard_permissions", False
-                ),
-                strict_mode=permissions_section.get("strict_mode", True),
-                roles=permissions_section.get("roles"),
+                default_role="guest",
+                admin_role="admin",
+                role_hierarchy={},
+                permission_cache_enabled=True,
+                permission_cache_ttl=300,
+                wildcard_permissions=False,
+                strict_mode=True,
+                roles=roles,
             )
         else:
             # Create minimal permission config when permissions are disabled
@@ -175,57 +158,37 @@ class SecurityIntegration:
                 roles={},
             )
 
-        # Create rate limit config
+        # Create rate limit config - use defaults since rate_limit section doesn't exist in new structure
         rate_limit_config = RateLimitConfig(
-            enabled=security_section.get("rate_limit", {}).get("enabled", True),
-            default_requests_per_minute=security_section.get("rate_limit", {}).get(
-                "default_requests_per_minute", 60
-            ),
-            default_requests_per_hour=security_section.get("rate_limit", {}).get(
-                "default_requests_per_hour", 1000
-            ),
-            burst_limit=security_section.get("rate_limit", {}).get("burst_limit", 2),
-            window_size_seconds=security_section.get("rate_limit", {}).get(
-                "window_size_seconds", 60
-            ),
-            storage_backend=security_section.get("rate_limit", {}).get(
-                "storage_backend", "memory"
-            ),
-            exempt_paths=security_section.get("rate_limit", {}).get("exempt_paths", []),
-            exempt_roles=security_section.get("rate_limit", {}).get("exempt_roles", []),
+            enabled=True,
+            default_requests_per_minute=60,
+            default_requests_per_hour=1000,
+            burst_limit=2,
+            window_size_seconds=60,
+            storage_backend="memory",
+            exempt_paths=[],
+            exempt_roles=[],
         )
 
-        # Create certificate config
+        # Create certificate config - certificates are handled by server protocol
         certificate_config = CertificateConfig(
-            enabled=security_section.get("certificates", {}).get("enabled", False),
-            ca_cert_path=security_section.get("certificates", {}).get("ca_cert_path"),
-            ca_key_path=security_section.get("certificates", {}).get("ca_key_path"),
-            cert_storage_path=security_section.get("certificates", {}).get(
-                "cert_storage_path", "./certs"
-            ),
-            key_storage_path=security_section.get("certificates", {}).get(
-                "key_storage_path", "./keys"
-            ),
-            default_validity_days=security_section.get("certificates", {}).get(
-                "default_validity_days", 365
-            ),
-            key_size=security_section.get("certificates", {}).get("key_size", 2048),
-            hash_algorithm=security_section.get("certificates", {}).get(
-                "hash_algorithm", "sha256"
-            ),
+            enabled=False,  # Certificates are handled by server protocol
+            ca_cert_path=None,
+            ca_key_path=None,
+            cert_storage_path="./certs",
+            key_storage_path="./keys",
+            default_validity_days=365,
+            key_size=2048,
+            hash_algorithm="sha256",
         )
 
-        # Create logging config
+        # Create logging config - use defaults since logging section doesn't exist in new structure
         logging_config = LoggingConfig(
-            enabled=security_section.get("logging", {}).get("enabled", True),
-            level=security_section.get("logging", {}).get("level", "INFO"),
-            format=security_section.get("logging", {}).get(
-                "format", "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
-            ),
-            console_output=security_section.get("logging", {}).get(
-                "console_output", True
-            ),
-            file_path=security_section.get("logging", {}).get("file_path"),
+            enabled=True,
+            level="INFO",
+            format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+            console_output=True,
+            file_path=None,
         )
 
         # Create main security config

mcp_proxy_adapter/core/server_adapter.py

@@ -67,6 +67,10 @@ class ServerConfigAdapter:
         if ssl_config.get("verify_client", False):
             hypercorn_ssl["verify_mode"] = "CERT_REQUIRED"
 
+        # Map hostname checking
+        if "chk_hostname" in ssl_config:
+            hypercorn_ssl["check_hostname"] = ssl_config["chk_hostname"]
+
         logger.debug(f"Converted SSL config to hypercorn: {hypercorn_ssl}")
         return hypercorn_ssl