mcp-security-framework 0.1.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

mcp_security_framework/core/auth_manager.py

@@ -159,6 +159,16 @@ class AuthManager:
                 "jwt_expiry_hours": config.jwt_expiry_hours,
             },
         )
+    
+    @property
+    def is_auth_enabled(self) -> bool:
+        """
+        Check if authentication is enabled.
+        
+        Returns:
+            bool: True if authentication is enabled, False otherwise
+        """
+        return self.config.enabled
 
     def authenticate_api_key(self, api_key: str) -> AuthResult:
         """
@@ -568,7 +578,7 @@ class AuthManager:
 
             # Check certificate expiration
             now = datetime.now(timezone.utc)
-            if cert.not_valid_after.replace(tzinfo=timezone.utc) < now:
+            if cert.not_valid_after_utc.replace(tzinfo=timezone.utc) < now:
                 return AuthResult(
                     is_valid=False,
                     status=AuthStatus.EXPIRED,
@@ -626,7 +636,7 @@ class AuthManager:
                 roles=roles,
                 auth_method="certificate",
                 auth_timestamp=datetime.now(timezone.utc),
-                token_expiry=cert.not_valid_after.replace(tzinfo=timezone.utc),
+                token_expiry=cert.not_valid_after_utc.replace(tzinfo=timezone.utc),
             )
 
             self.logger.info(

mcp_security_framework/core/cert_manager.py

@@ -313,8 +313,8 @@ class CertificateManager:
                 serial_number=str(certificate.serial_number),
                 common_name=ca_config.common_name,
                 organization=ca_config.organization,
-                not_before=certificate.not_valid_before,
-                not_after=certificate.not_valid_after.replace(tzinfo=timezone.utc),
+                not_before=certificate.not_valid_before_utc,
+                not_after=certificate.not_valid_after_utc.replace(tzinfo=timezone.utc),
                 certificate_type=CertificateType.ROOT_CA,
                 key_size=ca_config.key_size,
             )
@@ -534,8 +534,8 @@ class CertificateManager:
                     encryption_algorithm=serialization.NoEncryption(),
                 ).decode(),
                 serial_number=str(certificate.serial_number),
-                not_before=certificate.not_valid_before.replace(tzinfo=timezone.utc),
-                not_after=certificate.not_valid_after.replace(tzinfo=timezone.utc),
+                not_before=certificate.not_valid_before_utc.replace(tzinfo=timezone.utc),
+                not_after=certificate.not_valid_after_utc.replace(tzinfo=timezone.utc),
                 common_name=intermediate_config.common_name,
                 organization=intermediate_config.organization,
                 certificate_type=CertificateType.INTERMEDIATE_CA,
@@ -775,8 +775,8 @@ class CertificateManager:
                 serial_number=str(certificate.serial_number),
                 common_name=client_config.common_name,
                 organization=client_config.organization,
-                not_before=certificate.not_valid_before,
-                not_after=certificate.not_valid_after.replace(tzinfo=timezone.utc),
+                not_before=certificate.not_valid_before_utc,
+                not_after=certificate.not_valid_after_utc.replace(tzinfo=timezone.utc),
                 certificate_type=CertificateType.CLIENT,
                 key_size=client_config.key_size,
             )
@@ -1009,8 +1009,8 @@ class CertificateManager:
                 serial_number=str(certificate.serial_number),
                 common_name=server_config.common_name,
                 organization=server_config.organization,
-                not_before=certificate.not_valid_before,
-                not_after=certificate.not_valid_after.replace(tzinfo=timezone.utc),
+                not_before=certificate.not_valid_before_utc,
+                not_after=certificate.not_valid_after_utc.replace(tzinfo=timezone.utc),
                 certificate_type=CertificateType.SERVER,
                 key_size=server_config.key_size,
             )
@@ -1144,8 +1144,8 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 serial_number=str(new_cert.serial_number),
                 common_name="",  # Will be extracted from subject
                 organization="",  # Will be extracted from subject
-                not_before=new_cert.not_valid_before,
-                not_after=new_cert.not_valid_after.replace(tzinfo=timezone.utc),
+                not_before=new_cert.not_valid_before_utc,
+                not_after=new_cert.not_valid_after_utc.replace(tzinfo=timezone.utc),
                 certificate_type=CertificateType.CLIENT,  # Default
                 key_size=0,  # Will be extracted
             )
@@ -1411,8 +1411,8 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                     )
                 },
                 serial_number=serial_number,
-                not_before=cert.not_valid_before,
-                not_after=cert.not_valid_after,
+                not_before=cert.not_valid_before_utc,
+                not_after=cert.not_valid_after_utc,
                 certificate_type=CertificateType.CLIENT,  # Default to client, could be enhanced
                 key_size=expiry_info.get("key_size", 2048),  # Default to 2048 bits
                 signature_algorithm=cert.signature_algorithm_oid._name,
@@ -1446,18 +1446,199 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 f"Failed to get certificate info: {str(e)}"
             )
 
+    def create_certificate_signing_request(self, 
+                                         common_name: str,
+                                         organization: str,
+                                         country: str,
+                                         state: Optional[str] = None,
+                                         locality: Optional[str] = None,
+                                         organizational_unit: Optional[str] = None,
+                                         email: Optional[str] = None,
+                                         key_size: int = 2048,
+                                         key_type: str = "rsa",
+                                         output_path: Optional[str] = None) -> Tuple[str, str]:
+        """
+        Create a Certificate Signing Request (CSR).
+
+        This method creates a Certificate Signing Request (CSR) that can be
+        submitted to a Certificate Authority (CA) for signing.
+
+        Args:
+            common_name (str): Common name for the certificate (e.g., domain name)
+            organization (str): Organization name
+            country (str): Country code (e.g., "US", "GB")
+            state (Optional[str]): State or province name
+            locality (Optional[str]): Locality or city name
+            organizational_unit (Optional[str]): Organizational unit name
+            email (Optional[str]): Email address
+            key_size (int): Key size in bits. Defaults to 2048
+            key_type (str): Key type ("rsa" or "ec"). Defaults to "rsa"
+            output_path (Optional[str]): Output directory for CSR and key files.
+                If None, uses default path from configuration
+
+        Returns:
+            Tuple[str, str]: Paths to the created CSR file and private key file
+
+        Raises:
+            ValueError: When required parameters are invalid
+            CertificateGenerationError: When CSR creation fails
+            FileNotFoundError: When output directory is not accessible
+            PermissionError: When output directory is not writable
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> csr_path, key_path = cert_manager.create_certificate_signing_request(
+            ...     common_name="api.example.com",
+            ...     organization="Example Corp",
+            ...     country="US",
+            ...     state="California"
+            ... )
+            >>> print(f"CSR created: {csr_path}")
+            >>> print(f"Private key created: {key_path}")
+        """
+        try:
+            # Validate required parameters
+            if not common_name:
+                raise ValueError("Common name is required")
+            if not organization:
+                raise ValueError("Organization is required")
+            if not country:
+                raise ValueError("Country is required")
+
+            # Generate private key
+            if key_type.lower() == "rsa":
+                private_key = rsa.generate_private_key(
+                    public_exponent=65537, key_size=key_size, backend=None
+                )
+            elif key_type.lower() == "ec":
+                private_key = ec.generate_private_key(
+                    ec.SECP256R1(), backend=None
+                )
+            else:
+                raise ValueError(f"Unsupported key type: {key_type}")
+
+            # Create CSR subject
+            subject_attributes = [
+                x509.NameAttribute(NameOID.COMMON_NAME, common_name),
+                x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization),
+                x509.NameAttribute(NameOID.COUNTRY_NAME, country),
+            ]
+
+            # Add optional attributes
+            if state:
+                subject_attributes.append(
+                    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state)
+                )
+            if locality:
+                subject_attributes.append(
+                    x509.NameAttribute(NameOID.LOCALITY_NAME, locality)
+                )
+            if organizational_unit:
+                subject_attributes.append(
+                    x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, organizational_unit)
+                )
+            if email:
+                subject_attributes.append(
+                    x509.NameAttribute(NameOID.EMAIL_ADDRESS, email)
+                )
+
+            subject = x509.Name(subject_attributes)
+
+            # Create CSR builder
+            csr_builder = x509.CertificateSigningRequestBuilder()
+            csr_builder = csr_builder.subject_name(subject)
+            csr_builder = csr_builder.add_extension(
+                x509.BasicConstraints(ca=False, path_length=None),
+                critical=True
+            )
+
+            # Add Subject Alternative Name extension if common name looks like a domain
+            if "." in common_name and not common_name.startswith("*"):
+                san_extension = x509.SubjectAlternativeName([
+                    x509.DNSName(common_name)
+                ])
+                csr_builder = csr_builder.add_extension(san_extension, critical=False)
+
+            # Build and sign CSR
+            csr = csr_builder.sign(private_key, hashes.SHA256())
+
+            # Determine output paths
+            if output_path is None:
+                output_dir = Path(self.config.cert_storage_path) / "csr"
+                output_dir.mkdir(parents=True, exist_ok=True)
+                timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+                csr_filename = f"{common_name.replace('.', '_')}_{timestamp}.csr"
+                key_filename = f"{common_name.replace('.', '_')}_{timestamp}.key"
+                csr_path = str(output_dir / csr_filename)
+                key_path = str(output_dir / key_filename)
+            else:
+                output_dir = Path(output_path)
+                output_dir.mkdir(parents=True, exist_ok=True)
+                timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+                csr_filename = f"{common_name.replace('.', '_')}_{timestamp}.csr"
+                key_filename = f"{common_name.replace('.', '_')}_{timestamp}.key"
+                csr_path = str(output_dir / csr_filename)
+                key_path = str(output_dir / key_filename)
+
+            # Write CSR to file
+            with open(csr_path, 'wb') as f:
+                f.write(csr.public_bytes(serialization.Encoding.PEM))
+
+            # Write private key to file
+            with open(key_path, 'wb') as f:
+                f.write(private_key.private_bytes(
+                    encoding=serialization.Encoding.PEM,
+                    format=serialization.PrivateFormat.PKCS8,
+                    encryption_algorithm=serialization.NoEncryption()
+                ))
+
+            # Set proper permissions
+            os.chmod(key_path, 0o600)  # Read/write for owner only
+            os.chmod(csr_path, 0o644)  # Read for all, write for owner
+
+            self.logger.info(
+                "CSR created successfully",
+                extra={
+                    "csr_path": csr_path,
+                    "key_path": key_path,
+                    "common_name": common_name,
+                    "organization": organization,
+                    "key_type": key_type,
+                    "key_size": key_size
+                }
+            )
+
+            return csr_path, key_path
+
+        except Exception as e:
+            self.logger.error(
+                "Failed to create CSR",
+                extra={
+                    "common_name": common_name,
+                    "organization": organization,
+                    "error": str(e)
+                }
+            )
+            raise CertificateGenerationError(f"Failed to create CSR: {str(e)}")
+
     def create_crl(self, ca_cert_path: str, ca_key_path: str, 
+                   revoked_serials: Optional[List[Dict[str, Union[str, int]]]] = None,
                    output_path: Optional[str] = None, validity_days: int = 30) -> str:
         """
         Create a Certificate Revocation List (CRL).
 
         This method creates a Certificate Revocation List (CRL) from the CA
         certificate and private key. The CRL contains information about
-        revoked certificates.
+        revoked certificates with revocation reasons.
 
         Args:
             ca_cert_path (str): Path to CA certificate file
             ca_key_path (str): Path to CA private key file
+            revoked_serials (Optional[List[Dict]]): List of revoked certificate serials.
+                Each dict should contain:
+                - "serial": Serial number as string or int
+                - "reason": Revocation reason (optional)
+                - "revocation_date": Revocation date (optional, defaults to now)
             output_path (Optional[str]): Output path for CRL file.
                 If None, uses default path from configuration
             validity_days (int): CRL validity period in days. Defaults to 30
@@ -1471,9 +1652,14 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
 
         Example:
             >>> cert_manager = CertificateManager(config)
+            >>> revoked_serials = [
+            ...     {"serial": "123456789", "reason": "key_compromise"},
+            ...     {"serial": "987654321", "reason": "certificate_hold"}
+            ... ]
             >>> crl_path = cert_manager.create_crl(
             ...     ca_cert_path="/path/to/ca.crt",
             ...     ca_key_path="/path/to/ca.key",
+            ...     revoked_serials=revoked_serials,
             ...     validity_days=30
             ... )
             >>> print(f"CRL created: {crl_path}")
@@ -1508,10 +1694,31 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             crl_builder = crl_builder.next_update(next_update)
             crl_builder = crl_builder.issuer_name(ca_cert.subject)
 
-            # Add revoked certificates (empty for now, can be enhanced)
-            # This is a basic implementation - in a real scenario, you would
-            # load revoked certificates from a database or file
+            # Add revoked certificates
             revoked_certificates = []
+            if revoked_serials:
+                for revoked_info in revoked_serials:
+                    serial = revoked_info.get("serial")
+                    reason = revoked_info.get("reason", "unspecified")
+                    revocation_date = revoked_info.get("revocation_date", now)
+                    
+                    # Convert serial to int if it's a string
+                    if isinstance(serial, str):
+                        serial = int(serial, 16) if serial.startswith("0x") else int(serial)
+                    
+                    # Map reason string to x509 enum
+                    reason_enum = self._get_revocation_reason(reason)
+                    
+                    # Create revoked certificate entry
+                    revoked_cert = x509.RevokedCertificateBuilder().serial_number(
+                        serial
+                    ).revocation_date(
+                        revocation_date
+                    ).add_extension(
+                        x509.CRLReason(reason_enum), critical=False
+                    ).build()
+                    
+                    revoked_certificates.append(revoked_cert)
 
             # Build CRL
             crl = crl_builder.sign(ca_private_key, hashes.SHA256())
@@ -1551,6 +1758,30 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             )
             raise CertificateGenerationError(f"Failed to create CRL: {str(e)}")
 
+    def _get_revocation_reason(self, reason: str) -> x509.ReasonFlags:
+        """
+        Map reason string to x509.ReasonFlags enum.
+        
+        Args:
+            reason (str): Reason string
+            
+        Returns:
+            x509.ReasonFlags: Corresponding reason enum
+        """
+        reason_map = {
+            "unspecified": x509.ReasonFlags.unspecified,
+            "key_compromise": x509.ReasonFlags.key_compromise,
+            "ca_compromise": x509.ReasonFlags.ca_compromise,
+            "affiliation_changed": x509.ReasonFlags.affiliation_changed,
+            "superseded": x509.ReasonFlags.superseded,
+            "cessation_of_operation": x509.ReasonFlags.cessation_of_operation,
+            "certificate_hold": x509.ReasonFlags.certificate_hold,
+            "privilege_withdrawn": x509.ReasonFlags.privilege_withdrawn,
+            "aa_compromise": x509.ReasonFlags.aa_compromise,
+        }
+        
+        return reason_map.get(reason.lower(), x509.ReasonFlags.unspecified)
+
     def export_certificate(self, cert_path: str, format: str = "pem") -> Union[str, bytes]:
         """
         Export certificate to different formats.

mcp_security_framework/core/permission_manager.py

@@ -660,6 +660,10 @@ class PermissionManager:
         if required_perm in available_permissions:
             return True
 
+        # Check for universal permission "*" (all permissions)
+        if "*" in available_permissions:
+            return True
+
         # Wildcard match
         if "*" in required_perm:
             perm_parts = required_perm.split(":")

mcp_security_framework/core/rate_limiter.py

@@ -182,6 +182,16 @@ class RateLimiter:
                 "storage_backend": config.storage_backend,
             },
         )
+    
+    @property
+    def is_rate_limiting_enabled(self) -> bool:
+        """
+        Check if rate limiting is enabled.
+        
+        Returns:
+            bool: True if rate limiting is enabled, False otherwise
+        """
+        return self.config.enabled
 
     def check_rate_limit(self, identifier: str, limit: Optional[int] = None) -> bool:
         """

mcp_security_framework/core/security_manager.py

@@ -25,6 +25,7 @@ License: MIT
 
 import logging
 from typing import Dict, List, Optional, Union, Any
+from datetime import datetime, timezone
 
 from ..schemas.config import SecurityConfig, AuthConfig, PermissionConfig, CertificateConfig
 from ..schemas.models import AuthResult, ValidationResult, ValidationStatus, CertificatePair, CertificateInfo, AuthStatus
@@ -129,6 +130,7 @@ class SecurityManager:
         self.logger = logging.getLogger(__name__)
         self._component_status: Dict[str, bool] = {}
         self._security_events: List[Dict[str, Any]] = []
+        self._start_time = datetime.now(timezone.utc)
         
         # Initialize all core components
         self._initialize_components()