mcp-proxy-adapter 6.9.43__py3-none-any.whl

mcp_proxy_adapter/core/config_validator.py

@@ -0,0 +1,211 @@
+"""
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+
+Main configuration validator for MCP Proxy Adapter.
+"""
+
+import json
+import logging
+from pathlib import Path
+from typing import Dict, List, Any, Optional
+
+from .file_validator import FileValidator
+from .security_validator import SecurityValidator
+from .protocol_validator import ProtocolValidator
+
+logger = logging.getLogger(__name__)
+
+
+class ConfigValidator:
+    """
+    Comprehensive configuration validator for MCP Proxy Adapter.
+    
+    Validates:
+    - Required sections and keys
+    - File existence for referenced files
+    - Feature flag dependencies
+    - Protocol-specific requirements
+    - Security configuration consistency
+    """
+    
+    def __init__(self, config_path: Optional[str] = None):
+        """
+        Initialize configuration validator.
+
+        Args:
+            config_path: Path to configuration file (optional)
+        """
+        self.config_path = config_path
+        self.config_data: Dict[str, Any] = {}
+        self.validation_results: List[ValidationResult] = []
+
+    def load_config(self, config_path: Optional[str] = None) -> None:
+        """
+        Load configuration from file.
+
+        Args:
+            config_path: Path to configuration file
+        """
+        if config_path:
+            self.config_path = config_path
+        
+        if not self.config_path:
+            raise ValueError("No configuration path provided")
+        
+        try:
+            with open(self.config_path, 'r', encoding='utf-8') as f:
+                self.config_data = json.load(f)
+            logger.info(f"Configuration loaded from {self.config_path}")
+        except FileNotFoundError:
+            raise FileNotFoundError(f"Configuration file not found: {self.config_path}")
+        except json.JSONDecodeError as e:
+            raise ValueError(f"Invalid JSON in configuration file: {e}")
+        except Exception as e:
+            raise RuntimeError(f"Error loading configuration: {e}")
+
+    def validate_config(self, config_data: Optional[Dict[str, Any]] = None) -> List[ValidationResult]:
+        """
+        Validate configuration data.
+
+        Args:
+            config_data: Configuration data to validate (optional)
+
+        Returns:
+            List of validation results
+        """
+        if config_data is not None:
+            self.config_data = config_data
+        
+        if not self.config_data:
+            raise ValueError("No configuration data to validate")
+        
+        self.validation_results = []
+        
+        # Initialize validators
+        file_validator = FileValidator(self.config_data)
+        security_validator = SecurityValidator(self.config_data)
+        protocol_validator = ProtocolValidator(self.config_data)
+        
+        # Run all validations
+        self.validation_results.extend(protocol_validator.validate_required_sections())
+        self.validation_results.extend(protocol_validator.validate_protocol_requirements())
+        self.validation_results.extend(file_validator.validate_file_existence())
+        self.validation_results.extend(security_validator.validate_security_consistency())
+        self.validation_results.extend(security_validator.validate_ssl_configuration())
+        self.validation_results.extend(security_validator.validate_roles_configuration())
+        self.validation_results.extend(security_validator.validate_proxy_registration())
+        
+        # Additional validations
+        self._validate_unknown_fields()
+        self._validate_uuid_format()
+        
+        return self.validation_results
+
+    def validate_all(self, config_data: Optional[Dict[str, Any]] = None) -> List[ValidationResult]:
+        """
+        Validate all aspects of the configuration.
+
+        Args:
+            config_data: Configuration data to validate (optional)
+
+        Returns:
+            List of validation results
+        """
+        return self.validate_config(config_data)
+
+    def _validate_unknown_fields(self) -> None:
+        """Validate for unknown configuration fields."""
+        known_sections = {
+            "server", "protocols", "security", "ssl", "auth", "roles", 
+            "logging", "commands", "proxy_registration", "transport"
+        }
+        
+        for section in self.config_data.keys():
+            if section not in known_sections:
+                self.validation_results.append(ValidationResult(
+                    level="warning",
+                    message=f"Unknown configuration section: {section}",
+                    section=section,
+                    suggestion="Check if this section is needed or if it's a typo"
+                ))
+
+    def _validate_uuid_format(self) -> None:
+        """Validate UUID format in configuration."""
+        uuid_fields = ["server.server_id", "proxy_registration.server_id"]
+        
+        for field in uuid_fields:
+            value = self._get_nested_value_safe(field)
+            if value and not self._is_valid_uuid4(str(value)):
+                self.validation_results.append(ValidationResult(
+                    level="warning",
+                    message=f"Invalid UUID format in {field}: {value}",
+                    section=field.split(".")[0],
+                    key=field.split(".")[1],
+                    suggestion="Use a valid UUID4 format"
+                ))
+
+    def _is_valid_uuid4(self, uuid_str: str) -> bool:
+        """Check if string is a valid UUID4."""
+        import re
+        uuid_pattern = r'^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'
+        return bool(re.match(uuid_pattern, uuid_str, re.IGNORECASE))
+
+    def _get_nested_value_safe(self, key: str, default: Any = None) -> Any:
+        """Safely get a nested value from configuration."""
+        keys = key.split('.')
+        value = self.config_data
+        
+        for k in keys:
+            if isinstance(value, dict) and k in value:
+                value = value[k]
+            else:
+                return default
+        
+        return value
+
+    def get_validation_summary(self) -> Dict[str, Any]:
+        """
+        Get a summary of validation results.
+
+        Returns:
+            Dictionary with validation summary
+        """
+        error_count = sum(1 for r in self.validation_results if r.level == "error")
+        warning_count = sum(1 for r in self.validation_results if r.level == "warning")
+        info_count = sum(1 for r in self.validation_results if r.level == "info")
+        
+        return {
+            "total_issues": len(self.validation_results),
+            "errors": error_count,
+            "warnings": warning_count,
+            "info": info_count,
+            "is_valid": error_count == 0
+        }
+
+    def print_validation_report(self) -> None:
+        """Print a formatted validation report."""
+        summary = self.get_validation_summary()
+        
+        print(f"\\n📋 Configuration Validation Report")
+        print(f"{'=' * 40}")
+        print(f"Total issues: {summary['total_issues']}")
+        print(f"Errors: {summary['errors']}")
+        print(f"Warnings: {summary['warnings']}")
+        print(f"Info: {summary['info']}")
+        print(f"Valid: {'✅ Yes' if summary['is_valid'] else '❌ No'}")
+        
+        if self.validation_results:
+            print(f"\\n📝 Issues:")
+            for i, result in enumerate(self.validation_results, 1):
+                level_icon = {"error": "❌", "warning": "⚠️", "info": "ℹ️"}[result.level]
+                print(f"{i:2d}. {level_icon} {result.message}")
+                if result.section:
+                    print(f"    Section: {result.section}")
+                if result.key:
+                    print(f"    Key: {result.key}")
+                if result.suggestion:
+                    print(f"    Suggestion: {result.suggestion}")
+                print()
+
+

mcp_proxy_adapter/core/crl_utils.py

@@ -0,0 +1,362 @@
+"""
+CRL Utilities Module
+
+This module provides utilities for working with Certificate Revocation Lists (CRL).
+Supports both file-based and URL-based CRL sources.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+Version: 1.0.0
+"""
+
+import logging
+import os
+import tempfile
+from pathlib import Path
+from typing import Optional, Union, Dict, Any
+import requests
+from requests.adapters import HTTPAdapter
+from urllib3.util.retry import Retry
+
+# Import mcp_security_framework CRL utilities
+try:
+    from mcp_security_framework.utils.cert_utils import (
+        is_certificate_revoked,
+        validate_certificate_against_crl,
+        is_crl_valid,
+        get_crl_info,
+    )
+
+    SECURITY_FRAMEWORK_AVAILABLE = True
+except ImportError:
+    SECURITY_FRAMEWORK_AVAILABLE = False
+
+logger = logging.getLogger(__name__)
+
+
+class CRLManager:
+    """
+    Manager for Certificate Revocation Lists (CRL).
+
+    Supports both file-based and URL-based CRL sources.
+    Automatically downloads CRL from URLs and caches them locally.
+    """
+
+    def __init__(self, config: Dict[str, Any]):
+        """
+        Initialize CRL manager.
+
+        Args:
+            config: Configuration dictionary containing CRL settings
+        """
+        self.config = config
+        self.crl_enabled = config.get("crl_enabled", False)
+
+        # Only analyze CRL paths if certificates are enabled
+        certificates_enabled = config.get("certificates_enabled", True)
+        if certificates_enabled and self.crl_enabled:
+            self.crl_path = config.get("crl_path")
+            self.crl_url = config.get("crl_url")
+            self.crl_validity_days = config.get("crl_validity_days", 30)
+        else:
+            # Don't analyze CRL paths if certificates are disabled
+            self.crl_path = None
+            self.crl_url = None
+            self.crl_validity_days = 30
+
+        # Cache for downloaded CRL files
+        self._crl_cache: Dict[str, str] = {}
+
+        # Setup HTTP session with retry strategy
+        self._setup_http_session()
+
+        get_global_logger().info(
+            f"CRL Manager initialized - enabled: {self.crl_enabled}, certificates_enabled: {certificates_enabled}"
+        )
+
+    def _setup_http_session(self):
+        """Setup HTTP session with retry strategy for CRL downloads."""
+        self.session = requests.Session()
+
+        # Configure retry strategy
+        retry_strategy = Retry(
+            total=3,
+            backoff_factor=1,
+            status_forcelist=[429, 500, 502, 503, 504],
+        )
+
+        adapter = HTTPAdapter(max_retries=retry_strategy)
+        self.session.mount("http://", adapter)
+        self.session.mount("https://", adapter)
+
+        # Set timeout
+        self.session.timeout = 30
+
+    def get_crl_data(self) -> Optional[Union[str, bytes, Path]]:
+        """
+        Get CRL data from configured source.
+
+        Returns:
+            CRL data as string, bytes, or Path, or None if not available
+
+        Raises:
+            ValueError: If CRL is enabled but no source is configured
+            FileNotFoundError: If CRL file is not found
+            requests.RequestException: If CRL download fails
+        """
+        if not self.crl_enabled:
+            get_global_logger().debug("CRL is disabled, skipping CRL check")
+            return None
+
+        # Check if CRL URL is configured
+        if self.crl_url:
+            return self._get_crl_from_url()
+
+        # Check if CRL file path is configured
+        if self.crl_path:
+            return self._get_crl_from_file()
+
+        # If CRL is enabled but no source is configured, this is an error
+        if self.crl_enabled:
+            raise ValueError(
+                "CRL is enabled but neither crl_path nor crl_url is configured"
+            )
+
+        return None
+
+    def _get_crl_from_url(self) -> str:
+        """
+        Download CRL from URL.
+
+        Returns:
+            Path to downloaded CRL file
+
+        Raises:
+            requests.RequestException: If download fails
+            ValueError: If downloaded data is not valid CRL
+        """
+        try:
+            get_global_logger().info(f"Downloading CRL from URL: {self.crl_url}")
+
+            # Download CRL
+            response = self.session.get(self.crl_url)
+            response.raise_for_status()
+
+            # Validate content type
+            content_type = response.headers.get("content-type", "").lower()
+            if (
+                "application/pkix-crl" not in content_type
+                and "application/x-pkcs7-crl" not in content_type
+            ):
+                get_global_logger().warning(f"Unexpected content type for CRL: {content_type}")
+
+            # Save to temporary file
+            with tempfile.NamedTemporaryFile(
+                mode="wb", suffix=".crl", delete=False
+            ) as temp_file:
+                temp_file.write(response.content)
+                temp_file_path = temp_file.name
+
+            # Validate CRL format
+            if SECURITY_FRAMEWORK_AVAILABLE:
+                try:
+                    is_crl_valid(temp_file_path)
+                    get_global_logger().info(
+                        f"CRL downloaded and validated successfully from {self.crl_url}"
+                    )
+                except Exception as e:
+                    os.unlink(temp_file_path)
+                    raise ValueError(f"Downloaded CRL is not valid: {e}")
+            else:
+                get_global_logger().warning(
+                    "mcp_security_framework not available, skipping CRL validation"
+                )
+
+            # Cache the file path
+            self._crl_cache[self.crl_url] = temp_file_path
+
+            return temp_file_path
+
+        except requests.RequestException as e:
+            get_global_logger().error(f"Failed to download CRL from {self.crl_url}: {e}")
+            raise
+        except Exception as e:
+            get_global_logger().error(f"CRL download failed: {e}")
+            raise
+
+    def _get_crl_from_file(self) -> str:
+        """
+        Get CRL from file path.
+
+        Returns:
+            Path to CRL file
+
+        Raises:
+            FileNotFoundError: If CRL file is not found
+            ValueError: If CRL file is not valid
+        """
+        if not os.path.exists(self.crl_path):
+            raise FileNotFoundError(f"CRL file not found: {self.crl_path}")
+
+        # Validate CRL format
+        if SECURITY_FRAMEWORK_AVAILABLE:
+            try:
+                is_crl_valid(self.crl_path)
+                get_global_logger().info(f"CRL file validated successfully: {self.crl_path}")
+            except Exception as e:
+                raise ValueError(f"CRL file is not valid: {e}")
+        else:
+            get_global_logger().warning(
+                "mcp_security_framework not available, skipping CRL validation"
+            )
+
+        return self.crl_path
+
+    def is_certificate_revoked(self, cert_path: str) -> bool:
+        """
+        Check if certificate is revoked according to CRL.
+
+        Args:
+            cert_path: Path to certificate file
+
+        Returns:
+            True if certificate is revoked, False otherwise
+
+        Raises:
+            ValueError: If CRL is enabled but not available
+            FileNotFoundError: If certificate file is not found
+        """
+        if not self.crl_enabled:
+            return False
+
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            get_global_logger().warning("mcp_security_framework not available, skipping CRL check")
+            return False
+
+        try:
+            crl_data = self.get_crl_data()
+            if not crl_data:
+                get_global_logger().warning("CRL is enabled but no CRL data is available")
+                return False
+
+            is_revoked = is_certificate_revoked(cert_path, crl_data)
+
+            if is_revoked:
+                get_global_logger().warning(f"Certificate is revoked according to CRL: {cert_path}")
+            else:
+                get_global_logger().debug(
+                    f"Certificate is not revoked according to CRL: {cert_path}"
+                )
+
+            return is_revoked
+
+        except Exception as e:
+            get_global_logger().error(f"CRL check failed for certificate {cert_path}: {e}")
+            # For security, consider certificate invalid if CRL check fails
+            return True
+
+    def validate_certificate_against_crl(self, cert_path: str) -> Dict[str, Any]:
+        """
+        Validate certificate against CRL and return detailed status.
+
+        Args:
+            cert_path: Path to certificate file
+
+        Returns:
+            Dictionary containing validation results
+
+        Raises:
+            ValueError: If CRL is enabled but not available
+            FileNotFoundError: If certificate file is not found
+        """
+        if not self.crl_enabled:
+            return {
+                "is_revoked": False,
+                "crl_checked": False,
+                "crl_source": None,
+                "message": "CRL check is disabled",
+            }
+
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            get_global_logger().warning(
+                "mcp_security_framework not available, skipping CRL validation"
+            )
+            return {
+                "is_revoked": False,
+                "crl_checked": False,
+                "crl_source": None,
+                "message": "mcp_security_framework not available",
+            }
+
+        try:
+            crl_data = self.get_crl_data()
+            if not crl_data:
+                get_global_logger().warning("CRL is enabled but no CRL data is available")
+                return {
+                    "is_revoked": True,  # For security, consider invalid if CRL unavailable
+                    "crl_checked": False,
+                    "crl_source": None,
+                    "message": "CRL is enabled but not available",
+                }
+
+            # Get CRL source info
+            crl_source = self.crl_url if self.crl_url else self.crl_path
+
+            # Validate certificate against CRL
+            result = validate_certificate_against_crl(cert_path, crl_data)
+
+            result["crl_checked"] = True
+            result["crl_source"] = crl_source
+
+            return result
+
+        except Exception as e:
+            get_global_logger().error(f"CRL validation failed for certificate {cert_path}: {e}")
+            # For security, consider certificate invalid if CRL validation fails
+            return {
+                "is_revoked": True,
+                "crl_checked": False,
+                "crl_source": self.crl_url if self.crl_url else self.crl_path,
+                "message": f"CRL validation failed: {e}",
+            }
+
+    def get_crl_info(self) -> Optional[Dict[str, Any]]:
+        """
+        Get information about the configured CRL.
+
+        Returns:
+            Dictionary containing CRL information, or None if CRL is not available
+        """
+        if not self.crl_enabled:
+            return None
+
+        if not SECURITY_FRAMEWORK_AVAILABLE:
+            get_global_logger().warning("mcp_security_framework not available, cannot get CRL info")
+            return None
+
+        try:
+            crl_data = self.get_crl_data()
+            if not crl_data:
+                return None
+
+            return get_crl_info(crl_data)
+
+        except Exception as e:
+            get_global_logger().error(f"Failed to get CRL info: {e}")
+            return None
+
+    def cleanup_cache(self):
+        """Clean up temporary CRL files."""
+        for url, temp_path in self._crl_cache.items():
+            try:
+                if os.path.exists(temp_path):
+                    os.unlink(temp_path)
+                    get_global_logger().debug(f"Cleaned up temporary CRL file: {temp_path}")
+            except Exception as e:
+                get_global_logger().warning(f"Failed to cleanup temporary CRL file {temp_path}: {e}")
+
+        self._crl_cache.clear()
+
+    def __del__(self):
+        """Cleanup when object is destroyed."""
+        self.cleanup_cache()