mcp-proxy-adapter 6.4.48__py3-none-any.whl → 6.6.1__py3-none-any.whl

mcp_proxy_adapter/examples/run_security_tests_fixed.py

@@ -27,9 +27,7 @@ class SecurityTestRunner:
 
     def __init__(self):
         self.project_root = Path(__file__).parent.parent.parent
-        self.configs_dir = (
-            self.project_root / "mcp_proxy_adapter" / "examples" / "configs"
-        )
+        self.configs_dir = self.project_root / "configs"
         self.server_processes = {}
         self.test_results = []
 
@@ -137,23 +135,21 @@ class SecurityTestRunner:
             ]
         try:
             # Get remaining config for client setup
-            auth_enabled = (
-                config.get("security", {}).get("auth", {}).get("enabled", False)
-            )
-            auth_methods = config.get("security", {}).get("auth", {}).get("methods", [])
+            auth_enabled = config.get("security", {}).get("enabled", False)
+            # For new simplified structure, if security is enabled, we use token auth
+            auth_methods = ["api_key"] if auth_enabled else []
             # Create test client with correct protocol
-            protocol = (
-                "https" if config.get("ssl", {}).get("enabled", False) else "http"
-            )
+            server_protocol = config.get("server", {}).get("protocol", "http")
+            protocol = "https" if server_protocol in ["https", "mtls"] else "http"
             client = SecurityTestClient(base_url=f"{protocol}://localhost:{port}")
+            print(f"🔍 DEBUG: Created client with URL: {client.base_url}")
             client.auth_enabled = auth_enabled
             client.auth_methods = auth_methods
-            client.api_keys = (
-                config.get("security", {}).get("auth", {}).get("api_keys", {})
-            )
-            client.roles_file = config.get("security", {}).get("permissions", {}).get("roles_file")
+            client.api_keys = config.get("security", {}).get("tokens", {})
+            client.roles_file = config.get("security", {}).get("roles_file")
+            client.roles = config.get("security", {}).get("roles", {})
             # For mTLS, override SSL context creation and change working directory
-            if config_name == "mtls":
+            if server_protocol == "mtls":
                 client.create_ssl_context = client.create_ssl_context_for_mtls
                 # Ensure mTLS uses certificate auth
                 client.auth_methods = ["certificate"]
@@ -214,10 +210,10 @@ class SecurityTestRunner:
                     result = await client.test_negative_authentication()
                     results.append(result)
         except Exception as e:
-            results.append(
+                results.append(
                 TestResult(
                     test_name=f"{config_name}_client_error",
-                    server_url=f"http://localhost:{port}",
+                    server_url=f"{protocol}://localhost:{port}",
                     auth_type="none",
                     success=False,
                     error_message=str(e),
@@ -228,17 +224,68 @@ class SecurityTestRunner:
             self.stop_server(config_name, process)
         return results
 
+    def create_variant_from_full_config(self, full_config_path: Path, protocol: str, auth: str, port: int) -> Path:
+        """
+        Create a variant configuration from full config.
+        
+        Args:
+            full_config_path: Path to the full configuration file
+            protocol: Protocol type (http, https, mtls)
+            auth: Authentication type (none, token, token_roles)
+            port: Server port
+            
+        Returns:
+            Path to the temporary configuration file
+        """
+        import tempfile
+        import json
+        
+        # Load the full configuration
+        with open(full_config_path, 'r') as f:
+            full_config = json.load(f)
+        
+        # Create a copy of the full config
+        variant_config = full_config.copy()
+        
+        # Set server port and protocol
+        variant_config["server"]["port"] = port
+        variant_config["server"]["protocol"] = protocol
+        
+        # Apply protocol configuration
+        if protocol in variant_config.get("protocol_variants", {}):
+            protocol_config = variant_config["protocol_variants"][protocol]
+            variant_config["server"].update(protocol_config["server"])
+        
+        # Apply authentication configuration
+        if auth in variant_config.get("auth_variants", {}):
+            auth_config = variant_config["auth_variants"][auth]
+            variant_config["security"].update(auth_config["security"])
+        
+        # Remove the helper sections
+        variant_config.pop("protocol_variants", None)
+        variant_config.pop("auth_variants", None)
+        
+        # Create temporary config file
+        temp_dir = tempfile.mkdtemp(prefix="full_config_test_")
+        config_name = f"{protocol}_{auth}.json"
+        config_path = Path(temp_dir) / config_name
+        
+        with open(config_path, 'w') as f:
+            json.dump(variant_config, f, indent=2, ensure_ascii=False)
+        
+        return config_path
+
     async def run_all_tests(self):
         """Run all security tests."""
         print("🔒 Starting Security Testing Suite")
         print("=" * 50)
         # Test configurations
         configs = [
-            ("basic_http", "http_simple.json"),
-            ("http_token", "http_token.json"),
-            ("https", "https_simple.json"),
-            ("https_token", "https_token.json"),
-            ("mtls", "mtls_simple.json"),
+            ("basic_http", "http.json"),
+            ("http_token", "http_token_roles.json"),
+            ("https", "https.json"),
+            ("https_token", "https_token_roles.json"),
+            ("mtls", "mtls.json"),
         ]
         total_tests = 0
         passed_tests = 0
@@ -280,12 +327,128 @@ class SecurityTestRunner:
                 print(f"   Error: {result.error_message}")
         return passed_tests == total_tests
 
+    async def run_full_config_tests(self, full_config_path: str):
+        """Run tests using full configuration with all variants."""
+        print("🚀 Full Configuration Variants Testing")
+        print("=" * 60)
+        print(f"📁 Using full config: {full_config_path}")
+        
+        full_config_file = Path(full_config_path)
+        if not full_config_file.exists():
+            print(f"❌ Full configuration file not found: {full_config_path}")
+            return False
+        
+        # Define all combinations to test
+        variants = [
+            # HTTP variants
+            ("http", "none", 20000),
+            ("http", "token", 20001),
+            ("http", "token_roles", 20002),
+            
+            # HTTPS variants
+            ("https", "none", 20003),
+            ("https", "token", 20004),
+            ("https", "token_roles", 20005),
+            
+            # mTLS variants
+            ("mtls", "none", 20006),
+            ("mtls", "token", 20007),
+            ("mtls", "token_roles", 20008),
+        ]
+        
+        total_tests = 0
+        passed_tests = 0
+        all_results = []
+        
+        for protocol, auth, port in variants:
+            print(f"\n{'='*60}")
+            print(f"🧪 Testing {protocol.upper()} with {auth.upper()} authentication")
+            print(f"{'='*60}")
+            
+            # Create variant configuration
+            config_path = self.create_variant_from_full_config(full_config_file, protocol, auth, port)
+            
+            # Test the variant
+            config_name = f"{protocol}_{auth}"
+            results = await self.test_server(config_name, config_path)
+            
+            # Count results
+            for result in results:
+                total_tests += 1
+                if result.success:
+                    passed_tests += 1
+                    print(f"✅ {result.test_name}: PASS")
+                else:
+                    print(f"❌ {result.test_name}: FAIL - {result.error_message}")
+            
+            all_results.extend(results)
+            
+            # Clean up temporary config
+            import shutil
+            shutil.rmtree(config_path.parent)
+        
+        # Print final summary
+        print(f"\n{'='*60}")
+        print("📊 FULL CONFIG TEST SUMMARY")
+        print(f"{'='*60}")
+        print(f"Total tests: {total_tests}")
+        print(f"Passed: {passed_tests}")
+        print(f"Failed: {total_tests - passed_tests}")
+        print(f"Success rate: {(passed_tests/total_tests)*100:.1f}%")
+        
+        if total_tests - passed_tests > 0:
+            print(f"\n❌ Failed tests:")
+            for result in all_results:
+                if not result.success:
+                    print(f"   • {result.test_name}: {result.error_message}")
+        
+        return passed_tests == total_tests
+
+    def print_summary(self):
+        """Print test summary."""
+        if not self.test_results:
+            print("📊 No test results to display")
+            return
+            
+        total_tests = len(self.test_results)
+        passed_tests = sum(1 for result in self.test_results if result.success)
+        
+        print("\n" + "=" * 50)
+        print("📊 TEST SUMMARY")
+        print("=" * 50)
+        print(f"Total tests: {total_tests}")
+        print(f"Passed: {passed_tests}")
+        print(f"Failed: {total_tests - passed_tests}")
+        print(f"Success rate: {(passed_tests/total_tests)*100:.1f}%")
+        
+        if total_tests - passed_tests > 0:
+            print(f"\n📋 DETAILED RESULTS")
+            print("-" * 30)
+            for result in self.test_results:
+                status = "✅ PASS" if result.success else "❌ FAIL"
+                print(f"{status} {result.test_name}")
+                if not result.success and result.error_message:
+                    print(f"   Error: {result.error_message}")
+
 
 async def main():
     """Main function."""
+    import argparse
+    
+    parser = argparse.ArgumentParser(description="Security Testing Suite for MCP Proxy Adapter")
+    parser.add_argument("--full-config", help="Path to full configuration file for variant testing")
+    parser.add_argument("--verbose", action="store_true", help="Enable verbose output")
+    
+    args = parser.parse_args()
+    
     runner = SecurityTestRunner()
     try:
-        success = await runner.run_all_tests()
+        if args.full_config:
+            # Test full configuration variants
+            success = await runner.run_full_config_tests(args.full_config)
+        else:
+            # Run standard tests
+            success = await runner.run_all_tests()
         sys.exit(0 if success else 1)
     except KeyboardInterrupt:
         print("\n⚠️ Testing interrupted by user")

mcp_proxy_adapter/examples/security_test_client.py

@@ -83,6 +83,7 @@ class SecurityTestClient:
         self.auth_methods = []
         self.api_keys = {}
         self.roles_file = None
+        self.roles = {}
 
         if self._security_available:
             # For testing purposes, we don't initialize SecurityManager
@@ -99,7 +100,7 @@ class SecurityTestClient:
         self.test_tokens = {
             "admin": "admin-secret-key",
             "user": "user-secret-key",
-            "readonly": "readonly-token-123",
+            "readonly": "readonly-secret-key",
             "guest": "guest-token-123",
             "proxy": "proxy-token-123",
             "invalid": "invalid-token-999",
@@ -123,9 +124,11 @@ class SecurityTestClient:
     def create_ssl_context_for_mtls(self) -> ssl.SSLContext:
         """Create SSL context for mTLS connections."""
         # For mTLS, we need client certificates - check if they exist
-        cert_file = "./certs/user_cert.pem"
-        key_file = "./keys/user_key.pem"
-        ca_cert_file = "./certs/mcp_proxy_adapter_ca_ca.crt"
+        # Paths are relative to project root (../../ from examples directory)
+        # Use admin certificates to match server configuration
+        cert_file = "../../certs/admin.crt"
+        key_file = "../../certs/client_admin.key"
+        ca_cert_file = "../../certs/localhost_server.crt"
         
         # CRITICAL: For mTLS, certificates are REQUIRED
         if not os.path.exists(cert_file):
@@ -152,7 +155,13 @@ class SecurityTestClient:
         timeout = ClientTimeout(total=30)
         # Create SSL context only for HTTPS URLs
         if self.base_url.startswith('https://'):
-            ssl_context = self.create_ssl_context()
+            # Check if this is mTLS (ports 20006, 20007, 20008 are mTLS test ports)
+            if any(port in self.base_url for port in ['20006', '20007', '20008']):
+                # Use mTLS context with client certificates
+                ssl_context = self.create_ssl_context_for_mtls()
+            else:
+                # Use regular HTTPS context
+                ssl_context = self.create_ssl_context()
             connector = TCPConnector(ssl=ssl_context)
         else:
             # For HTTP URLs, use default connector without SSL
@@ -209,6 +218,11 @@ class SecurityTestClient:
             # Provide both common header styles to maximize compatibility
             headers["X-API-Key"] = token
             headers["Authorization"] = f"Bearer {token}"
+            
+            # Add role header if provided
+            role = kwargs.get("role")
+            if role:
+                headers["X-Role"] = role
         elif auth_type == "basic":
             username = kwargs.get("username")
             password = kwargs.get("password")
@@ -983,7 +997,7 @@ class SecurityTestClient:
 
     async def test_role_based_access(self, server_url: str, auth_type: str, role: str = "admin") -> TestResult:
         """Test role-based access control."""
-        if not self.roles_file:
+        if not self.roles_file and not self.roles:
             return TestResult(
                 test_name="Role-Based Access Test",
                 server_url=server_url,
@@ -1001,7 +1015,7 @@ class SecurityTestClient:
 
     async def test_role_permissions(self, server_url: str, auth_type: str, role: str = "admin", action: str = "read") -> TestResult:
         """Test role permissions."""
-        if not self.roles_file:
+        if not self.roles_file and not self.roles:
             return TestResult(
                 test_name="Role Permissions Test",
                 server_url=server_url,

mcp_proxy_adapter/examples/test_chk_hostname_automated.py

@@ -0,0 +1,214 @@
+#!/usr/bin/env python3
+"""
+Automated tests for chk_hostname functionality in all SSL modes.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import json
+import tempfile
+import os
+from pathlib import Path
+import sys
+
+# Add the project root to the path
+sys.path.insert(0, str(Path(__file__).parent))
+
+from mcp_proxy_adapter.config import Config
+from mcp_proxy_adapter.examples.config_builder import ConfigBuilder, Protocol, AuthMethod
+
+
+def test_chk_hostname_default_config():
+    """Test that default config has chk_hostname=False for HTTP."""
+    print("🧪 Testing default config chk_hostname...")
+    
+    config = Config()
+    
+    # Default should be HTTP with chk_hostname=False
+    assert config.get("server.protocol") == "http"
+    assert config.get("transport.ssl.chk_hostname") is False
+    
+    print("✅ Default config: chk_hostname=False for HTTP")
+
+
+def test_chk_hostname_http_config():
+    """Test that HTTP config has chk_hostname=False."""
+    print("🧪 Testing HTTP config chk_hostname...")
+    
+    # Create HTTP config
+    http_config = ConfigBuilder().set_protocol(Protocol.HTTP).build()
+    
+    # Save to temporary file and load with Config
+    with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
+        json.dump(http_config, f)
+        temp_config_path = f.name
+    
+    try:
+        config = Config(temp_config_path)
+        
+        # HTTP should have chk_hostname=False
+        assert config.get("server.protocol") == "http"
+        assert config.get("transport.ssl.chk_hostname") is False
+        
+        print("✅ HTTP config: chk_hostname=False")
+    finally:
+        os.unlink(temp_config_path)
+
+
+def test_chk_hostname_https_config():
+    """Test that HTTPS config has chk_hostname=True."""
+    print("🧪 Testing HTTPS config chk_hostname...")
+    
+    # Create HTTPS config
+    https_config = ConfigBuilder().set_protocol(Protocol.HTTPS).build()
+    
+    # Save to temporary file and load with Config
+    with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
+        json.dump(https_config, f)
+        temp_config_path = f.name
+    
+    try:
+        config = Config(temp_config_path)
+        
+        
+        # HTTPS should have chk_hostname=True
+        assert config.get("server.protocol") == "https"
+        assert config.get("transport.ssl.chk_hostname") is True
+        
+        print("✅ HTTPS config: chk_hostname=True")
+    finally:
+        os.unlink(temp_config_path)
+
+
+def test_chk_hostname_mtls_config():
+    """Test that mTLS config has chk_hostname=True."""
+    print("🧪 Testing mTLS config chk_hostname...")
+    
+    # Create mTLS config
+    mtls_config = ConfigBuilder().set_protocol(Protocol.MTLS).build()
+    
+    # Save to temporary file and load with Config
+    with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
+        json.dump(mtls_config, f)
+        temp_config_path = f.name
+    
+    try:
+        config = Config(temp_config_path)
+        
+        # mTLS should have chk_hostname=True
+        assert config.get("server.protocol") == "mtls"
+        assert config.get("transport.ssl.chk_hostname") is True
+        
+        print("✅ mTLS config: chk_hostname=True")
+    finally:
+        os.unlink(temp_config_path)
+
+
+def test_chk_hostname_override():
+    """Test that chk_hostname can be overridden in config."""
+    print("🧪 Testing chk_hostname override...")
+    
+    # Create HTTPS config with chk_hostname=False override
+    https_config = ConfigBuilder().set_protocol(Protocol.HTTPS).build()
+    # Add transport section if it doesn't exist
+    if "transport" not in https_config:
+        https_config["transport"] = {}
+    if "ssl" not in https_config["transport"]:
+        https_config["transport"]["ssl"] = {}
+    https_config["transport"]["ssl"]["chk_hostname"] = False
+    https_config["transport"]["ssl"]["_chk_hostname_user_set"] = True
+    
+    # Save to temporary file and load with Config
+    with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
+        json.dump(https_config, f)
+        temp_config_path = f.name
+    
+    try:
+        config = Config(temp_config_path)
+        
+        
+        # Should respect the override
+        assert config.get("server.protocol") == "https"
+        assert config.get("transport.ssl.chk_hostname") is False
+        
+        print("✅ HTTPS config with chk_hostname=False override works")
+    finally:
+        os.unlink(temp_config_path)
+
+
+def test_chk_hostname_all_combinations():
+    """Test chk_hostname for all protocol and auth combinations."""
+    print("🧪 Testing chk_hostname for all combinations...")
+    
+    protocols = [Protocol.HTTP, Protocol.HTTPS, Protocol.MTLS]
+    auth_methods = [AuthMethod.NONE, AuthMethod.TOKEN, AuthMethod.TOKEN_ROLES]
+    
+    for protocol in protocols:
+        for auth_method in auth_methods:
+            # Create config
+            config_data = (ConfigBuilder()
+                          .set_protocol(protocol)
+                          .set_auth(auth_method)
+                          .build())
+            
+            # Save to temporary file and load with Config
+            with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
+                json.dump(config_data, f)
+                temp_config_path = f.name
+            
+            try:
+                config = Config(temp_config_path)
+                
+                protocol_name = protocol.value
+                auth_name = auth_method.value
+                
+                # Check chk_hostname based on protocol
+                if protocol_name == "http":
+                    expected_chk_hostname = False
+                else:  # https or mtls
+                    expected_chk_hostname = True
+                
+                actual_chk_hostname = config.get("transport.ssl.chk_hostname")
+                
+                assert actual_chk_hostname == expected_chk_hostname, (
+                    f"Protocol {protocol_name} with auth {auth_name}: "
+                    f"expected chk_hostname={expected_chk_hostname}, "
+                    f"got {actual_chk_hostname}"
+                )
+                
+                print(f"✅ {protocol_name}+{auth_name}: chk_hostname={actual_chk_hostname}")
+                
+            finally:
+                os.unlink(temp_config_path)
+    
+    print("✅ All protocol+auth combinations have correct chk_hostname values")
+
+
+def main():
+    """Run all chk_hostname tests."""
+    print("🧪 Running Automated chk_hostname Tests")
+    print("=" * 50)
+    
+    try:
+        test_chk_hostname_default_config()
+        test_chk_hostname_http_config()
+        test_chk_hostname_https_config()
+        test_chk_hostname_mtls_config()
+        test_chk_hostname_override()
+        test_chk_hostname_all_combinations()
+        
+        print("=" * 50)
+        print("🎉 All chk_hostname tests passed!")
+        return True
+        
+    except Exception as e:
+        print(f"❌ Test failed: {e}")
+        import traceback
+        traceback.print_exc()
+        return False
+
+
+if __name__ == "__main__":
+    success = main()
+    sys.exit(0 if success else 1)

mcp_proxy_adapter/examples/test_config_builder.py

@@ -60,7 +60,9 @@ class TestConfigBuilder:
         config = builder.set_protocol(Protocol.HTTP).build()
         
         assert config["ssl"]["enabled"] is False
+        assert config["ssl"]["chk_hostname"] is False
         assert config["security"]["ssl"]["enabled"] is False
+        assert config["security"]["ssl"]["chk_hostname"] is False
         assert config["protocols"]["allowed_protocols"] == ["http"]
         assert config["protocols"]["default_protocol"] == "http"
         assert config["protocols"]["protocol_handlers"]["http"]["enabled"] is True
@@ -73,11 +75,13 @@ class TestConfigBuilder:
         config = builder.set_protocol(Protocol.HTTPS, cert_dir="/tmp/certs", key_dir="/tmp/keys").build()
         
         assert config["ssl"]["enabled"] is True
+        assert config["ssl"]["chk_hostname"] is True
         assert config["ssl"]["cert_file"] == "/tmp/certs/server_cert.pem"
         assert config["ssl"]["key_file"] == "/tmp/keys/server_key.pem"
         assert config["ssl"]["ca_cert"] == "/tmp/certs/ca_cert.pem"
         
         assert config["security"]["ssl"]["enabled"] is True
+        assert config["security"]["ssl"]["chk_hostname"] is True
         assert config["security"]["ssl"]["cert_file"] == "/tmp/certs/server_cert.pem"
         assert config["security"]["ssl"]["key_file"] == "/tmp/keys/server_key.pem"
         assert config["security"]["ssl"]["ca_cert_file"] == "/tmp/certs/ca_cert.pem"
@@ -94,10 +98,12 @@ class TestConfigBuilder:
         config = builder.set_protocol(Protocol.MTLS, cert_dir="/tmp/certs", key_dir="/tmp/keys").build()
         
         assert config["ssl"]["enabled"] is True
+        assert config["ssl"]["chk_hostname"] is True
         assert config["ssl"]["verify_client"] is True
         assert config["ssl"]["client_cert_required"] is True
         
         assert config["security"]["ssl"]["enabled"] is True
+        assert config["security"]["ssl"]["chk_hostname"] is True
         assert config["security"]["ssl"]["client_cert_file"] == "/tmp/certs/admin_cert.pem"
         assert config["security"]["ssl"]["client_key_file"] == "/tmp/keys/admin_key.pem"
         assert config["security"]["ssl"]["verify_mode"] == "CERT_REQUIRED"
@@ -186,6 +192,40 @@ class TestConfigBuilder:
         assert config["commands"]["enabled_commands"] == enabled
         assert config["commands"]["disabled_commands"] == disabled
     
+    def test_set_hostname_check(self):
+        """Test hostname check configuration."""
+        builder = ConfigBuilder()
+        
+        # Test enabling hostname check
+        config = builder.set_hostname_check(enabled=True).build()
+        assert config["ssl"]["chk_hostname"] is True
+        assert config["security"]["ssl"]["chk_hostname"] is True
+        
+        # Test disabling hostname check
+        config = builder.set_hostname_check(enabled=False).build()
+        assert config["ssl"]["chk_hostname"] is False
+        assert config["security"]["ssl"]["chk_hostname"] is False
+    
+    def test_hostname_check_with_protocols(self):
+        """Test hostname check behavior with different protocols."""
+        # HTTP should have chk_hostname = False
+        builder = ConfigBuilder()
+        config = builder.set_protocol(Protocol.HTTP).build()
+        assert config["ssl"]["chk_hostname"] is False
+        assert config["security"]["ssl"]["chk_hostname"] is False
+        
+        # HTTPS should have chk_hostname = True
+        builder = ConfigBuilder()
+        config = builder.set_protocol(Protocol.HTTPS).build()
+        assert config["ssl"]["chk_hostname"] is True
+        assert config["security"]["ssl"]["chk_hostname"] is True
+        
+        # mTLS should have chk_hostname = True
+        builder = ConfigBuilder()
+        config = builder.set_protocol(Protocol.MTLS).build()
+        assert config["ssl"]["chk_hostname"] is True
+        assert config["security"]["ssl"]["chk_hostname"] is True
+    
     def test_save_configuration(self):
         """Test saving configuration to file."""
         with tempfile.TemporaryDirectory() as temp_dir: