mcp-proxy-adapter 6.4.48__tar.gz → 6.6.1__tar.gz

{mcp_proxy_adapter-6.4.48 → mcp_proxy_adapter-6.6.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-proxy-adapter
-Version: 6.4.48
+Version: 6.6.1
 Summary: Powerful JSON-RPC microservices framework with built-in security, authentication, and proxy registration
 Home-page: https://github.com/maverikod/mcp-proxy-adapter
 Author: Vasiliy Zdanovskiy

{mcp_proxy_adapter-6.4.48 → mcp_proxy_adapter-6.6.1}/mcp_proxy_adapter/api/middleware/unified_security.py

@@ -65,11 +65,10 @@ class UnifiedSecurityMiddleware(BaseHTTPMiddleware):
         try:
             security_config = config.get("security", {})
             
-            # Check if permissions are enabled - only use mcp_security_framework if needed
-            permissions_config = security_config.get("permissions", {})
-            permissions_enabled = permissions_config.get("enabled", False)
+            # Check if security is enabled - use mcp_security_framework if needed
+            security_enabled = security_config.get("enabled", False)
             
-            if permissions_enabled:
+            if security_enabled:
                 self.security_integration = create_security_integration(security_config)
                 # Use framework's FastAPI middleware
                 self.framework_middleware = (
@@ -80,7 +79,7 @@ class UnifiedSecurityMiddleware(BaseHTTPMiddleware):
                 # Instead, store the framework middleware for use in dispatch method.
                 logger.info("Framework middleware will be used in dispatch method")
             else:
-                logger.info("Permissions disabled, skipping mcp_security_framework integration")
+                logger.info("Security disabled, skipping mcp_security_framework integration")
                 self.security_integration = None
                 self.framework_middleware = None
         except Exception as e:
@@ -114,16 +113,13 @@ class UnifiedSecurityMiddleware(BaseHTTPMiddleware):
             security_cfg = (
                 self.config.get("security", {}) if isinstance(self.config, dict) else {}
             )
-            auth_cfg = security_cfg.get("auth", {})
-            permissions_cfg = security_cfg.get("permissions", {})
-            public_paths = set(
-                auth_cfg.get("public_paths", ["/health", "/docs", "/openapi.json"])
-            )
+            # Use new simplified structure
+            public_paths = set(["/health", "/docs", "/openapi.json"])
             # JSON-RPC endpoint must not be public when API key is required
             public_paths.discard("/api/jsonrpc")
             path = request.url.path
-            methods = set(auth_cfg.get("methods", []))
-            api_keys: Dict[str, str] = auth_cfg.get("api_keys", {}) or {}
+            methods = set(["api_key"])  # Use token-based authentication
+            api_keys: Dict[str, str] = security_cfg.get("tokens", {}) or {}
 
             # Enforce only for non-public paths when api_key method configured
             if (

{mcp_proxy_adapter-6.4.48 → mcp_proxy_adapter-6.6.1}/mcp_proxy_adapter/config.py

@@ -6,9 +6,12 @@ email: vasilyvz@gmail.com
 """
 
 import json
+import logging
 import os
 from typing import Any, Dict, Optional, List
 
+logger = logging.getLogger(__name__)
+
 
 class Config:
     """
@@ -38,6 +41,7 @@ class Config:
             "server": {
                 "host": "0.0.0.0",
                 "port": 8000,
+                "protocol": "http",
                 "debug": False,
                 "log_level": "INFO",
             },
@@ -65,30 +69,6 @@ class Config:
                 "disabled_commands": [],
                 "custom_commands_path": "./commands",
             },
-            "ssl": {
-                "enabled": False,
-                "mode": "https_only",
-                "cert_file": None,
-                "key_file": None,
-                "ca_cert": None,
-                "verify_client": False,
-                "client_cert_required": False,
-                "cipher_suites": [
-                    "TLS_AES_256_GCM_SHA384",
-                    "TLS_CHACHA20_POLY1305_SHA256",
-                ],
-                "min_tls_version": "TLSv1.2",
-                "max_tls_version": "1.3",
-                "token_auth": {
-                    "enabled": False,
-                    "header_name": "Authorization",
-                    "token_prefix": "Bearer",
-                    "tokens_file": "tokens.json",
-                    "token_expiry": 3600,
-                    "jwt_secret": "",
-                    "jwt_algorithm": "HS256",
-                },
-            },
             "roles": {
                 "enabled": False,
                 "config_file": None,
@@ -111,6 +91,7 @@ class Config:
                     "ca_cert": None,
                     "verify_client": False,
                     "client_cert_required": False,
+                    "chk_hostname": False,  # Default to False when SSL is disabled
                 },
             },
             "proxy_registration": {
@@ -128,102 +109,18 @@ class Config:
             },
             "debug": {"enabled": False, "level": "WARNING"},
             "security": {
-                "framework": "mcp_security_framework",
                 "enabled": False,
-                "debug": False,
-                "environment": "dev",
-                "version": "1.0.0",
-                "auth": {
-                    "enabled": False,
-                    "methods": ["api_key"],
-                    "api_keys": {},
-                    "user_roles": {},
-                    "jwt_secret": "",
-                    "jwt_algorithm": "HS256",
-                    "jwt_expiry_hours": 24,
-                    "certificate_auth": False,
-                    "certificate_roles_oid": "1.3.6.1.4.1.99999.1.1",
-                    "certificate_permissions_oid": "1.3.6.1.4.1.99999.1.2",
-                    "basic_auth": False,
-                    "oauth2_config": None,
-                    "public_paths": ["/health", "/docs", "/openapi.json"],
-                    "security_headers": None,
+                "tokens": {
+                    "admin": "admin-secret-key",
+                    "user": "user-secret-key",
+                    "readonly": "readonly-secret-key"
                 },
-                "ssl": {
-                    "enabled": False,
-                    "cert_file": None,
-                    "key_file": None,
-                    "ca_cert_file": None,
-                    "client_cert_file": None,
-                    "client_key_file": None,
-                    "verify_mode": "CERT_NONE",
-                    "min_tls_version": "TLSv1.2",
-                    "max_tls_version": None,
-                    "cipher_suite": None,
-                    "check_hostname": True,
-                    "check_expiry": True,
-                    "expiry_warning_days": 30,
-                },
-                "certificates": {
-                    "enabled": False,
-                    "ca_cert_path": None,
-                    "ca_key_path": None,
-                    "cert_storage_path": "./certs",
-                    "key_storage_path": "./keys",
-                    "default_validity_days": 365,
-                    "key_size": 2048,
-                    "hash_algorithm": "sha256",
-                    "crl_enabled": False,
-                    "crl_path": None,
-                    "crl_url": None,
-                    "crl_validity_days": 30,
-                    "auto_renewal": False,
-                    "renewal_threshold_days": 30,
+                "roles": {
+                    "admin": ["read", "write", "delete", "admin"],
+                    "user": ["read", "write"],
+                    "readonly": ["read"]
                 },
-                "permissions": {
-                    "enabled": False,
-                    "roles_file": None,
-                    "default_role": "guest",
-                    "admin_role": "admin",
-                    "role_hierarchy": {},
-                    "permission_cache_enabled": False,
-                    "permission_cache_ttl": 300,
-                    "wildcard_permissions": False,
-                    "strict_mode": False,
-                    "roles": None,
-                },
-                "rate_limit": {
-                    "enabled": False,
-                    "default_requests_per_minute": 60,
-                    "default_requests_per_hour": 1000,
-                    "burst_limit": 2,
-                    "window_size_seconds": 60,
-                    "storage_backend": "memory",
-                    "redis_config": None,
-                    "cleanup_interval": 300,
-                    "exempt_paths": ["/health", "/docs", "/openapi.json"],
-                    "exempt_roles": ["admin"],
-                },
-                "logging": {
-                    "enabled": True,
-                    "level": "INFO",
-                    "format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s",
-                    "date_format": "%Y-%m-%d %H:%M:%S",
-                    "file_path": None,
-                    "max_file_size": 10,
-                    "backup_count": 5,
-                    "console_output": True,
-                    "json_format": False,
-                    "include_timestamp": True,
-                    "include_level": True,
-                    "include_module": True,
-                },
-            },
-            "protocols": {
-                "enabled": True,
-                "allowed_protocols": ["http", "jsonrpc"],
-                "default_protocol": "http",
-                "auto_discovery": True,
+                "roles_file": None
             },
         }
 
@@ -238,6 +135,10 @@ class Config:
 
         # Load configuration from environment variables
         self._load_env_variables()
+        
+        # Apply hostname check logic based on SSL configuration
+        self._validate_security_config()
+        self._apply_hostname_check_logic()
 
     def load_from_file(self, config_path: str) -> None:
         """
@@ -344,6 +245,12 @@ class Config:
                 current = current[part]
 
             current[parts[-1]] = value
+            
+            # Special handling for chk_hostname - mark it as user-set
+            if key == "transport.ssl.chk_hostname":
+                if "ssl" not in self.config_data.get("transport", {}):
+                    self.config_data["transport"]["ssl"] = {}
+                self.config_data["transport"]["ssl"]["_chk_hostname_user_set"] = True
 
     def save(self, path: Optional[str] = None) -> None:
         """
@@ -588,6 +495,58 @@ class Config:
 
         return secure_config
 
+    def _validate_security_config(self) -> None:
+        """
+        Validate security configuration and log warnings for incomplete setup.
+        """
+        if not self.get("security.enabled", False):
+            return
+            
+        # Check if security is enabled but no authentication methods are configured
+        tokens = self.get("security.tokens", {})
+        roles = self.get("security.roles", {})
+        roles_file = self.get("security.roles_file")
+        
+        has_tokens = bool(tokens and any(tokens.values()))
+        has_roles = bool(roles and any(roles.values()))
+        has_roles_file = bool(roles_file and os.path.exists(roles_file))
+        
+        if not (has_tokens or has_roles or has_roles_file):
+            logger.warning(
+                "Security is enabled but no authentication methods are configured. "
+                "Please configure tokens, roles, or roles_file in the security section."
+            )
+
+    def _apply_hostname_check_logic(self) -> None:
+        """
+        Apply hostname check logic based on protocol configuration.
+        chk_hostname should be True for HTTPS/mTLS protocols, False for HTTP.
+        Only set default values if chk_hostname is not explicitly configured.
+        """
+        protocol = self.get("server.protocol", "http")
+        ssl_enabled = self.get("transport.ssl.enabled", False)
+        
+        # Check if chk_hostname is explicitly set by the user
+        # We check if it was set by looking for a special flag
+        transport_section = self.config_data.get("transport", {})
+        ssl_section = transport_section.get("ssl", {})
+        chk_hostname_explicitly_set = ssl_section.get("_chk_hostname_user_set", False)
+        
+        # Set chk_hostname based on protocol only if not explicitly set
+        if not chk_hostname_explicitly_set:
+            if protocol in ["https", "mtls"]:
+                # For HTTPS/mTLS, enable hostname checking by default
+                self.set("transport.ssl.chk_hostname", True)
+                logger.debug(f"Set chk_hostname=True for protocol {protocol} (default)")
+            else:
+                # For HTTP, disable hostname checking
+                self.set("transport.ssl.chk_hostname", False)
+                logger.debug(f"Set chk_hostname=False for protocol {protocol} (default)")
+        else:
+            # Log the explicitly set value
+            chk_hostname_value = self.get("transport.ssl.chk_hostname")
+            logger.debug(f"Using explicitly set chk_hostname={chk_hostname_value} for protocol {protocol}")
+
 
 # Singleton instance
 config = Config()

{mcp_proxy_adapter-6.4.48 → mcp_proxy_adapter-6.6.1}/mcp_proxy_adapter/core/protocol_manager.py

@@ -56,54 +56,37 @@ class ProtocolManager:
                 f"ProtocolManager._load_config - current_config keys: {list(current_config.keys()) if hasattr(current_config, 'keys') else 'no keys'}"
             )
 
-        # Get protocols configuration
-        logger.debug(f"ProtocolManager._load_config - before getting protocols")
+        # Get server protocol configuration (new simplified structure)
+        logger.debug(f"ProtocolManager._load_config - before getting server protocol")
         try:
-            self.protocols_config = current_config.get("protocols", {})
-            logger.debug(
-                f"ProtocolManager._load_config - protocols_config type: {type(self.protocols_config)}"
-            )
-            if hasattr(self.protocols_config, "get"):
-                logger.debug(
-                    f"ProtocolManager._load_config - protocols_config is dict-like"
-                )
+            server_config = current_config.get("server", {})
+            server_protocol = server_config.get("protocol", "http")
+            logger.debug(f"ProtocolManager._load_config - server protocol: {server_protocol}")
+            
+            # Set allowed protocols based on server protocol
+            if server_protocol == "http":
+                self.allowed_protocols = ["http"]
+            elif server_protocol == "https":
+                self.allowed_protocols = ["https"]
+            elif server_protocol == "mtls":
+                self.allowed_protocols = ["mtls", "https"]  # mTLS also supports HTTPS
             else:
-                logger.debug(
-                    f"ProtocolManager._load_config - protocols_config is NOT dict-like: {repr(self.protocols_config)}"
-                )
+                # Fallback to HTTP
+                self.allowed_protocols = ["http"]
+                logger.warning(f"Unknown server protocol '{server_protocol}', defaulting to HTTP")
+                
+            logger.debug(f"ProtocolManager._load_config - allowed protocols: {self.allowed_protocols}")
+            
         except Exception as e:
-            logger.debug(f"ProtocolManager._load_config - ERROR getting protocols: {e}")
-            self.protocols_config = {}
+            logger.debug(f"ProtocolManager._load_config - ERROR getting server protocol: {e}")
+            # Fallback to HTTP
+            self.allowed_protocols = ["http"]
 
-        self.enabled = (
-            self.protocols_config.get("enabled", True)
-            if hasattr(self.protocols_config, "get")
-            else True
-        )
-
-        # Get SSL configuration to determine allowed protocols
-        ssl_enabled = self._is_ssl_enabled(current_config)
-
-        # Set allowed protocols based on SSL configuration
-        if ssl_enabled:
-            # If SSL is enabled, allow both HTTP and HTTPS
-            self.allowed_protocols = self.protocols_config.get(
-                "allowed_protocols", ["http", "https"]
-            )
-            # Ensure HTTPS is in allowed protocols if SSL is enabled
-            if "https" not in self.allowed_protocols:
-                self.allowed_protocols.append("https")
-        else:
-            # If SSL is disabled, only allow HTTP
-            self.allowed_protocols = self.protocols_config.get(
-                "allowed_protocols", ["http"]
-            )
-            # Remove HTTPS from allowed protocols if SSL is disabled
-            if "https" in self.allowed_protocols:
-                self.allowed_protocols.remove("https")
+        # Protocol management is always enabled in new structure
+        self.enabled = True
 
         logger.debug(
-            f"Protocol manager loaded config: enabled={self.enabled}, allowed_protocols={self.allowed_protocols}, ssl_enabled={ssl_enabled}"
+            f"Protocol manager loaded config: enabled={self.enabled}, allowed_protocols={self.allowed_protocols}"
         )
 
     def _is_ssl_enabled(self, current_config: Dict) -> bool:

{mcp_proxy_adapter-6.4.48 → mcp_proxy_adapter-6.6.1}/mcp_proxy_adapter/core/security_integration.py

@@ -88,53 +88,42 @@ class SecurityIntegration:
         # self.config is already the security section passed from unified_security.py
         security_section = self.config
 
-        # Create SSL config
+        # Create SSL config - SSL is handled by server protocol, not security config
         ssl_config = SSLConfig(
-            enabled=security_section.get("ssl", {}).get("enabled", False),
-            cert_file=security_section.get("ssl", {}).get("cert_file"),
-            key_file=security_section.get("ssl", {}).get("key_file"),
-            ca_cert_file=security_section.get("ssl", {}).get("ca_cert_file"),
-            client_cert_file=security_section.get("ssl", {}).get("client_cert_file"),
-            client_key_file=security_section.get("ssl", {}).get("client_key_file"),
-            verify_mode=security_section.get("ssl", {}).get(
-                "verify_mode", "CERT_REQUIRED"
-            ),
-            min_tls_version=security_section.get("ssl", {}).get(
-                "min_tls_version", "TLSv1.2"
-            ),
-            check_hostname=security_section.get("ssl", {}).get("check_hostname", True),
-            check_expiry=security_section.get("ssl", {}).get("check_expiry", True),
-            expiry_warning_days=security_section.get("ssl", {}).get(
-                "expiry_warning_days", 30
-            ),
+            enabled=False,  # SSL is handled by server protocol
+            cert_file=None,
+            key_file=None,
+            ca_cert_file=None,
+            client_cert_file=None,
+            client_key_file=None,
+            verify_mode="CERT_REQUIRED",
+            min_tls_version="TLSv1.2",
+            check_hostname=True,
+            check_expiry=True,
+            expiry_warning_days=30,
         )
 
-        # Create auth config
+        # Create auth config - use new simplified structure
         auth_config = AuthConfig(
-            enabled=security_section.get("auth", {}).get("enabled", True),
-            methods=security_section.get("auth", {}).get("methods", ["api_key"]),
-            api_keys=security_section.get("auth", {}).get("api_keys", {}),
-            user_roles=security_section.get("auth", {}).get("user_roles", {}),
-            jwt_secret=security_section.get("auth", {}).get("jwt_secret"),
-            jwt_algorithm=security_section.get("auth", {}).get(
-                "jwt_algorithm", "HS256"
-            ),
-            jwt_expiry_hours=security_section.get("auth", {}).get(
-                "jwt_expiry_hours", 24
-            ),
-            certificate_auth=security_section.get("auth", {}).get(
-                "certificate_auth", False
-            ),
-            public_paths=security_section.get("auth", {}).get("public_paths", []),
+            enabled=security_section.get("enabled", True),
+            methods=["api_key"],  # Use token-based authentication
+            api_keys=security_section.get("tokens", {}),
+            user_roles={},  # Will be handled by permissions
+            jwt_secret=None,
+            jwt_algorithm="HS256",
+            jwt_expiry_hours=24,
+            certificate_auth=False,
+            public_paths=[],
         )
 
-        # Create permission config - handle null values properly
-        permissions_section = security_section.get("permissions", {})
-        permissions_enabled = permissions_section.get("enabled", True)
+        # Create permission config - use new simplified structure
+        roles = security_section.get("roles", {})
+        roles_file = security_section.get("roles_file")
+        
+        # Enable permissions if we have roles or roles_file
+        permissions_enabled = bool(roles or roles_file)
 
         if permissions_enabled:
-            roles_file = permissions_section.get("roles_file")
-
             # If roles_file is None or empty string, don't pass it to avoid framework errors
             if roles_file is None or roles_file == "":
                 logger.warning(
@@ -145,20 +134,14 @@ class SecurityIntegration:
             permission_config = PermissionConfig(
                 enabled=True,
                 roles_file=roles_file,
-                default_role=permissions_section.get("default_role", "guest"),
-                admin_role=permissions_section.get("admin_role", "admin"),
-                role_hierarchy=permissions_section.get("role_hierarchy", {}),
-                permission_cache_enabled=permissions_section.get(
-                    "permission_cache_enabled", True
-                ),
-                permission_cache_ttl=permissions_section.get(
-                    "permission_cache_ttl", 300
-                ),
-                wildcard_permissions=permissions_section.get(
-                    "wildcard_permissions", False
-                ),
-                strict_mode=permissions_section.get("strict_mode", True),
-                roles=permissions_section.get("roles"),
+                default_role="guest",
+                admin_role="admin",
+                role_hierarchy={},
+                permission_cache_enabled=True,
+                permission_cache_ttl=300,
+                wildcard_permissions=False,
+                strict_mode=True,
+                roles=roles,
             )
         else:
             # Create minimal permission config when permissions are disabled
@@ -175,57 +158,37 @@ class SecurityIntegration:
                 roles={},
             )
 
-        # Create rate limit config
+        # Create rate limit config - use defaults since rate_limit section doesn't exist in new structure
         rate_limit_config = RateLimitConfig(
-            enabled=security_section.get("rate_limit", {}).get("enabled", True),
-            default_requests_per_minute=security_section.get("rate_limit", {}).get(
-                "default_requests_per_minute", 60
-            ),
-            default_requests_per_hour=security_section.get("rate_limit", {}).get(
-                "default_requests_per_hour", 1000
-            ),
-            burst_limit=security_section.get("rate_limit", {}).get("burst_limit", 2),
-            window_size_seconds=security_section.get("rate_limit", {}).get(
-                "window_size_seconds", 60
-            ),
-            storage_backend=security_section.get("rate_limit", {}).get(
-                "storage_backend", "memory"
-            ),
-            exempt_paths=security_section.get("rate_limit", {}).get("exempt_paths", []),
-            exempt_roles=security_section.get("rate_limit", {}).get("exempt_roles", []),
+            enabled=True,
+            default_requests_per_minute=60,
+            default_requests_per_hour=1000,
+            burst_limit=2,
+            window_size_seconds=60,
+            storage_backend="memory",
+            exempt_paths=[],
+            exempt_roles=[],
         )
 
-        # Create certificate config
+        # Create certificate config - certificates are handled by server protocol
         certificate_config = CertificateConfig(
-            enabled=security_section.get("certificates", {}).get("enabled", False),
-            ca_cert_path=security_section.get("certificates", {}).get("ca_cert_path"),
-            ca_key_path=security_section.get("certificates", {}).get("ca_key_path"),
-            cert_storage_path=security_section.get("certificates", {}).get(
-                "cert_storage_path", "./certs"
-            ),
-            key_storage_path=security_section.get("certificates", {}).get(
-                "key_storage_path", "./keys"
-            ),
-            default_validity_days=security_section.get("certificates", {}).get(
-                "default_validity_days", 365
-            ),
-            key_size=security_section.get("certificates", {}).get("key_size", 2048),
-            hash_algorithm=security_section.get("certificates", {}).get(
-                "hash_algorithm", "sha256"
-            ),
+            enabled=False,  # Certificates are handled by server protocol
+            ca_cert_path=None,
+            ca_key_path=None,
+            cert_storage_path="./certs",
+            key_storage_path="./keys",
+            default_validity_days=365,
+            key_size=2048,
+            hash_algorithm="sha256",
         )
 
-        # Create logging config
+        # Create logging config - use defaults since logging section doesn't exist in new structure
         logging_config = LoggingConfig(
-            enabled=security_section.get("logging", {}).get("enabled", True),
-            level=security_section.get("logging", {}).get("level", "INFO"),
-            format=security_section.get("logging", {}).get(
-                "format", "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
-            ),
-            console_output=security_section.get("logging", {}).get(
-                "console_output", True
-            ),
-            file_path=security_section.get("logging", {}).get("file_path"),
+            enabled=True,
+            level="INFO",
+            format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+            console_output=True,
+            file_path=None,
         )
 
         # Create main security config

{mcp_proxy_adapter-6.4.48 → mcp_proxy_adapter-6.6.1}/mcp_proxy_adapter/core/server_adapter.py

@@ -67,6 +67,10 @@ class ServerConfigAdapter:
         if ssl_config.get("verify_client", False):
             hypercorn_ssl["verify_mode"] = "CERT_REQUIRED"
 
+        # Map hostname checking
+        if "chk_hostname" in ssl_config:
+            hypercorn_ssl["check_hostname"] = ssl_config["chk_hostname"]
+
         logger.debug(f"Converted SSL config to hypercorn: {hypercorn_ssl}")
         return hypercorn_ssl