mcp-proxy-adapter 6.9.43__py3-none-any.whl

mcp_proxy_adapter/core/mtls_asgi.py

@@ -0,0 +1,140 @@
+"""
+Custom ASGI application for mTLS support.
+
+This module provides a custom ASGI application that properly handles
+client certificates in mTLS connections.
+"""
+
+import ssl
+import logging
+from typing import Dict, Any, Optional
+from starlette.types import ASGIApp, Receive, Send, Scope
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSASGIApp:
+    """
+    Custom ASGI application that properly handles mTLS client certificates.
+
+    This wrapper ensures that client certificates are properly extracted
+    and made available to the FastAPI application.
+    """
+
+    def __init__(self, app: ASGIApp, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI application.
+
+        Args:
+            app: The underlying ASGI application (FastAPI)
+            ssl_config: SSL configuration for mTLS
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.verify_client = ssl_config.get("verify_client", False)
+        self.client_cert_required = ssl_config.get("client_cert_required", False)
+
+        get_global_logger().info(
+            f"MTLS ASGI app initialized: verify_client={self.verify_client}, "
+            f"client_cert_required={self.client_cert_required}"
+        )
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """
+        Handle ASGI request with mTLS support.
+
+        Args:
+            scope: ASGI scope
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    get_global_logger().debug(
+                        f"Client certificate extracted: {client_cert.get('subject', {})}"
+                    )
+                elif self.client_cert_required:
+                    get_global_logger().warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+
+            # Call the underlying application
+            await self.app(scope, receive, send)
+
+        except Exception as e:
+            get_global_logger().error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+
+    def _extract_client_certificate(self, scope: Scope) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+
+        Args:
+            scope: ASGI scope
+
+        Returns:
+            Client certificate data or None
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                return None
+
+            # Get peer certificate
+            cert = ssl_context.getpeercert()
+            if cert:
+                return cert
+
+            return None
+
+        except Exception as e:
+            get_global_logger().error(f"Failed to extract client certificate: {e}")
+            return None
+
+    async def _send_unauthorized_response(self, send: Send) -> None:
+        """
+        Send 401 Unauthorized response.
+
+        Args:
+            send: ASGI send callable
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 401,
+            "headers": [
+                (b"content-type", b"application/json"),
+                (b"content-length", b"163"),
+            ],
+        }
+        await send(response)
+
+        body = b'{"jsonrpc": "2.0", "error": {"code": -32001, "message": "Unauthorized: Client certificate required"}, "id": null}'
+        await send({"type": "http.response.body", "body": body})
+
+    async def _send_error_response(self, send: Send, error_message: str) -> None:
+        """
+        Send error response.
+
+        Args:
+            send: ASGI send callable
+            error_message: Error message
+        """
+        response = {
+            "type": "http.response.start",
+            "status": 500,
+            "headers": [
+                (b"content-type", b"application/json"),
+            ],
+        }
+        await send(response)
+
+        body = f'{{"jsonrpc": "2.0", "error": {{"code": -32603, "message": "Internal error: {error_message}"}}, "id": null}}'.encode()
+        await send({"type": "http.response.body", "body": body})
+
+

mcp_proxy_adapter/core/mtls_asgi_app.py

@@ -0,0 +1,187 @@
+"""
+MTLS ASGI Application Wrapper
+
+This module provides an ASGI application wrapper that extracts client certificates
+from the SSL context and makes them available to FastAPI middleware.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+Version: 1.0.0
+"""
+
+import logging
+import ssl
+from typing import Dict, Any, Optional
+from cryptography import x509
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSASGIApp:
+    """
+    ASGI application wrapper for mTLS support.
+
+    Extracts client certificates from SSL context and stores them in ASGI scope
+    for access by FastAPI middleware.
+    """
+
+    def __init__(self, app, ssl_config: Dict[str, Any]):
+        """
+        Initialize MTLS ASGI app.
+
+        Args:
+            app: The underlying ASGI application
+            ssl_config: SSL configuration dictionary
+        """
+        self.app = app
+        self.ssl_config = ssl_config
+        self.client_cert_required = ssl_config.get("client_cert_required", True)
+
+        get_global_logger().info(
+            f"MTLS ASGI app initialized: client_cert_required={self.client_cert_required}"
+        )
+
+    async def __call__(self, scope: Dict[str, Any], receive, send):
+        """
+        Handle ASGI request with mTLS support.
+
+        Args:
+            scope: ASGI scope dictionary
+            receive: ASGI receive callable
+            send: ASGI send callable
+        """
+        try:
+            # Extract client certificate from SSL context
+            if scope["type"] == "http" and "ssl" in scope:
+                client_cert = self._extract_client_certificate(scope)
+                if client_cert:
+                    # Store certificate in scope for middleware access
+                    scope["client_certificate"] = client_cert
+                    get_global_logger().debug(
+                        f"Client certificate extracted: {client_cert.get('subject', {})}"
+                    )
+                elif self.client_cert_required:
+                    get_global_logger().warning("Client certificate required but not provided")
+                    # Return 401 Unauthorized
+                    await self._send_unauthorized_response(send)
+                    return
+
+            # Call the underlying application
+            await self.app(scope, receive, send)
+
+        except Exception as e:
+            get_global_logger().error(f"Error in MTLS ASGI app: {e}")
+            await self._send_error_response(send, str(e))
+
+    def _extract_client_certificate(
+        self, scope: Dict[str, Any]
+    ) -> Optional[Dict[str, Any]]:
+        """
+        Extract client certificate from SSL context.
+
+        Args:
+            scope: ASGI scope dictionary
+
+        Returns:
+            Certificate dictionary or None if not found
+        """
+        try:
+            ssl_context = scope.get("ssl")
+            if not ssl_context:
+                get_global_logger().debug("No SSL context found in scope")
+                return None
+
+            # Try to get peer certificate
+            if hasattr(ssl_context, "getpeercert"):
+                cert_data = ssl_context.getpeercert(binary_form=True)
+                if cert_data:
+                    # Parse certificate
+                    cert = x509.load_der_x509_certificate(cert_data)
+                    return self._cert_to_dict(cert)
+                else:
+                    get_global_logger().debug("No certificate data in SSL context")
+                    return None
+            else:
+                get_global_logger().debug("SSL context has no getpeercert method")
+                return None
+
+        except Exception as e:
+            get_global_logger().error(f"Failed to extract client certificate: {e}")
+            return None
+
+    def _cert_to_dict(self, cert: x509.Certificate) -> Dict[str, Any]:
+        """
+        Convert x509 certificate to dictionary.
+
+        Args:
+            cert: x509 certificate object
+
+        Returns:
+            Certificate dictionary
+        """
+        try:
+            # Extract subject
+            subject = {}
+            for name in cert.subject:
+                subject[name.oid._name] = name.value
+
+            # Extract issuer
+            issuer = {}
+            for name in cert.issuer:
+                issuer[name.oid._name] = name.value
+
+            return {
+                "subject": subject,
+                "issuer": issuer,
+                "serial_number": str(cert.serial_number),
+                "not_valid_before": cert.not_valid_before.isoformat(),
+                "not_valid_after": cert.not_valid_after.isoformat(),
+                "version": cert.version.value,
+                "signature_algorithm_oid": cert.signature_algorithm_oid._name,
+                "public_key": {
+                    "key_size": (
+                        cert.public_key().key_size
+                        if hasattr(cert.public_key(), "key_size")
+                        else None
+                    ),
+                    "public_numbers": (
+                        str(cert.public_key().public_numbers())
+                        if hasattr(cert.public_key(), "public_numbers")
+                        else None
+                    ),
+                },
+            }
+        except Exception as e:
+            get_global_logger().error(f"Failed to convert certificate to dict: {e}")
+            return {"error": str(e)}
+
+    async def _send_unauthorized_response(self, send):
+        """Send 401 Unauthorized response."""
+        await send(
+            {
+                "type": "http.response.start",
+                "status": 401,
+                "headers": [
+                    (b"content-type", b"application/json"),
+                    (b"content-length", b"0"),
+                ],
+            }
+        )
+        await send({"type": "http.response.body", "body": b""})
+
+    async def _send_error_response(self, send, error_message: str):
+        """Send error response."""
+        body = f'{{"error": "{error_message}"}}'.encode("utf-8")
+        await send(
+            {
+                "type": "http.response.start",
+                "status": 500,
+                "headers": [
+                    (b"content-type", b"application/json"),
+                    (b"content-length", str(len(body)).encode()),
+                ],
+            }
+        )
+        await send({"type": "http.response.body", "body": body})
+
+

mcp_proxy_adapter/core/mtls_proxy.py

@@ -0,0 +1,229 @@
+"""
+mTLS Proxy for MCP Proxy Adapter
+
+This module provides mTLS proxy functionality that accepts mTLS connections
+and proxies them to the internal hypercorn server.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import asyncio
+import ssl
+import logging
+from typing import Optional, Dict, Any
+
+from .logging import get_global_logger
+
+logger = logging.getLogger(__name__)
+
+
+class MTLSProxy:
+    """
+    mTLS Proxy that accepts mTLS connections and proxies them to internal server.
+    """
+    
+    def __init__(
+        self,
+                 external_host: str,
+                 external_port: int,
+                 internal_host: str = "127.0.0.1",
+                 internal_port: int = 9000,
+                 cert_file: Optional[str] = None,
+                 key_file: Optional[str] = None,
+        ca_cert: Optional[str] = None,
+    ):
+        """
+        Initialize mTLS Proxy.
+        
+        Args:
+            external_host: External host to bind to
+            external_port: External port to bind to
+            internal_host: Internal server host
+            internal_port: Internal server port
+            cert_file: Server certificate file
+            key_file: Server private key file
+            ca_cert: CA certificate file for client verification
+        """
+        self.external_host = external_host
+        self.external_port = external_port
+        self.internal_host = internal_host
+        self.internal_port = internal_port
+        self.cert_file = cert_file
+        self.key_file = key_file
+        self.ca_cert = ca_cert
+        self.server = None
+        
+    async def start(self):
+        """Start the mTLS proxy server."""
+        try:
+            # Create SSL context
+            ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            ssl_context.load_cert_chain(self.cert_file, self.key_file)
+            
+            if self.ca_cert:
+                ssl_context.load_verify_locations(self.ca_cert)
+                ssl_context.verify_mode = ssl.CERT_REQUIRED
+            else:
+                ssl_context.verify_mode = ssl.CERT_NONE
+                
+            # Start server
+            self.server = await asyncio.start_server(
+                self._handle_client,
+                self.external_host,
+                self.external_port,
+                ssl=ssl_context,
+            )
+            
+            get_global_logger().info(
+                f"🔐 mTLS Proxy started on {self.external_host}:{self.external_port}"
+            )
+            get_global_logger().info(
+                f"🌐 Proxying to {self.internal_host}:{self.internal_port}"
+            )
+            
+        except Exception as e:
+            get_global_logger().error(f"❌ Failed to start mTLS proxy: {e}")
+            raise
+                
+    async def _proxy_data(self, reader, writer, direction):
+        """Proxy data between reader and writer."""
+        try:
+            while True:
+                data = await reader.read(4096)
+                if not data:
+                    break
+                writer.write(data)
+                await writer.drain()
+        except Exception as e:
+            get_global_logger().debug(f"Proxy connection closed ({direction}): {e}")
+        finally:
+            try:
+                writer.close()
+                await writer.wait_closed()
+            except Exception:
+                pass
+
+    async def _handle_client(self, reader, writer):
+        """
+        Handle incoming client connection.
+
+        Args:
+            reader: Client reader stream
+            writer: Client writer stream
+        """
+        internal_reader = None
+        internal_writer = None
+
+        try:
+            # Connect to internal server
+            internal_reader, internal_writer = await asyncio.open_connection(
+                self.internal_host, self.internal_port
+            )
+
+            # Create bidirectional proxy tasks
+            client_to_server = asyncio.create_task(
+                self._proxy_data(reader, internal_writer, "client->server")
+            )
+            server_to_client = asyncio.create_task(
+                self._proxy_data(internal_reader, writer, "server->client")
+            )
+
+            # Wait for either direction to complete
+            done, pending = await asyncio.wait(
+                [client_to_server, server_to_client],
+                return_when=asyncio.FIRST_COMPLETED,
+            )
+
+            # Cancel pending tasks
+            for task in pending:
+                task.cancel()
+
+            # Wait for cancellation
+            await asyncio.gather(*pending, return_exceptions=True)
+
+        except Exception as e:
+            get_global_logger().debug(f"Client connection error: {e}")
+        finally:
+            # Clean up connections
+            if internal_writer:
+                try:
+                    internal_writer.close()
+                    await internal_writer.wait_closed()
+                except Exception:
+                    pass
+            if writer:
+                try:
+                    writer.close()
+                    await writer.wait_closed()
+                except Exception:
+                    pass
+
+
+async def start_mtls_proxy(
+    config: Dict[str, Any], internal_port: Optional[int] = None
+) -> Optional[MTLSProxy]:
+    """
+    Start mTLS proxy from configuration.
+
+    Args:
+        config: Configuration dictionary
+        internal_port: Internal server port (hypercorn port). If not provided,
+                      will be calculated as external_port + 1000
+
+    Returns:
+        MTLSProxy instance if started successfully, None otherwise
+    """
+    try:
+        server_config = config.get("server", {})
+        transport_config = config.get("transport", {})
+        ssl_config = config.get("ssl", {})
+
+        # Get external host and port
+        external_host = server_config.get("host", "0.0.0.0")
+        external_port = server_config.get("port", 8001)
+
+        # Get internal port (use provided or calculate)
+        if internal_port is None:
+            internal_port = external_port + 1000
+
+        # Get certificate paths - try multiple locations
+        cert_file = (
+            ssl_config.get("cert_file")
+            or transport_config.get("ssl", {}).get("cert_file")
+            or transport_config.get("cert_file")
+        )
+        key_file = (
+            ssl_config.get("key_file")
+            or transport_config.get("ssl", {}).get("key_file")
+            or transport_config.get("key_file")
+        )
+        ca_cert = (
+            ssl_config.get("ca_cert")
+            or transport_config.get("ssl", {}).get("ca_cert")
+            or transport_config.get("ca_cert")
+        )
+
+        if not cert_file or not key_file:
+            get_global_logger().warning(
+                "mTLS certificates not found, skipping mTLS proxy"
+            )
+            return None
+
+        # Create and start proxy
+        proxy = MTLSProxy(
+            external_host=external_host,
+            external_port=external_port,
+            internal_host="127.0.0.1",
+            internal_port=internal_port,
+            cert_file=cert_file,
+            key_file=key_file,
+            ca_cert=ca_cert,
+        )
+
+        await proxy.start()
+        return proxy
+
+    except Exception as e:
+        get_global_logger().error(f"Failed to start mTLS proxy: {e}")
+        return None