PyPI - mcp-security-framework - Versions diffs - 1.2.0__tar.gz → 1.2.1__tar.gz - Mend

mcp-security-framework 1.2.0tar.gz → 1.2.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.2.0
+Version: 1.2.1
 Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework/__init__.py RENAMED Viewed

@@ -71,7 +71,7 @@ from mcp_security_framework.schemas.responses import (
 )
 # Version information
-__version__ = "0.1.0"
+__version__ = "1.2.1"
 __author__ = "Vasiliy Zdanovskiy"
 __email__ = "vasilyvz@gmail.com"
 __license__ = "MIT"

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework/core/auth_manager.py RENAMED Viewed

@@ -38,6 +38,7 @@ from ..schemas.models import AuthResult, AuthStatus, ValidationResult
 from ..utils.cert_utils import (
     extract_permissions_from_certificate,
     extract_roles_from_certificate,
+    extract_unitid_from_certificate,
     parse_certificate,
     validate_certificate_chain,
 )
@@ -124,20 +125,21 @@ class AuthManager:
         self.logger = logging.getLogger(__name__)
         # Initialize storage
-        # Convert API keys from "key": "user" format to "user": "key" format
+        # Store API keys in format: {"api_key": "username"}
         # or handle new format "key": {"username": "user", "roles": ["role1", "role2"]}
         if config.api_keys:
             self._api_keys = {}
             self._api_key_metadata = {}
             for key, value in config.api_keys.items():
                 if isinstance(value, str):
-                    # Old format: "key": "user"
+                    # Old format: "username": "api_key" -> store as {"api_key": "username"}
                     self._api_keys[value] = key
                 elif isinstance(value, dict):
-                    # New format: "key": {"username": "user", "roles": ["role1", "role2"]}
+                    # New format: "username": {"api_key": "key", "roles": ["role1", "role2"]}
+                    api_key = value.get("api_key", key)
                     username = value.get("username", key)
-                    self._api_keys[username] = key
-                    self._api_key_metadata[key] = value
+                    self._api_keys[api_key] = username
+                    self._api_key_metadata[api_key] = value
                 else:
                     self.logger.warning(
                         f"Invalid API key format for key {key}: {value}"
@@ -253,7 +255,7 @@ class AuthManager:
             # Find user by API key
             username = None
             user_roles = []
-            for user, api_key_in_config in self._api_keys.items():
+            for api_key_in_config, user in self._api_keys.items():
                 if api_key_in_config == api_key:
                     username = user
                     # Check if we have metadata for this API key
@@ -625,6 +627,16 @@ class AuthManager:
                 )
                 roles = []
+            # Extract unitid from certificate
+            unitid = None
+            try:
+                unitid = extract_unitid_from_certificate(cert_pem)
+            except Exception as e:
+                self.logger.warning(
+                    "Failed to extract unitid from certificate",
+                    extra={"username": username, "error": str(e)},
+                )
             # Validate certificate chain if CA is configured
             if self.config.ca_cert_file:
                 try:
@@ -656,6 +668,7 @@ class AuthManager:
                 auth_method="certificate",
                 auth_timestamp=datetime.now(timezone.utc),
                 token_expiry=get_not_valid_after_utc(cert),
+                unitid=unitid,
             )
             self.logger.info(
@@ -861,7 +874,7 @@ class AuthManager:
             if not validate_api_key_format(api_key):
                 return False
-            self._api_keys[username] = api_key
+            self._api_keys[api_key] = username
             self.logger.info("API key added for user", extra={"username": username})
@@ -884,8 +897,15 @@ class AuthManager:
             bool: True if API key was removed successfully, False otherwise
         """
         try:
-            if username in self._api_keys:
-                del self._api_keys[username]
+            # Find API key for the username and remove it
+            api_key_to_remove = None
+            for api_key, user in self._api_keys.items():
+                if user == username:
+                    api_key_to_remove = api_key
+                    break
+            if api_key_to_remove:
+                del self._api_keys[api_key_to_remove]
                 self.logger.info(
                     "API key removed for user", extra={"username": username}

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework/core/cert_manager.py RENAMED Viewed

@@ -29,6 +29,7 @@ License: MIT
 import logging
 import os
+import uuid
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Dict, List, Optional, Tuple, Union
@@ -54,6 +55,7 @@ from mcp_security_framework.schemas.models import (
 from mcp_security_framework.utils.cert_utils import (
     extract_permissions_from_certificate,
     extract_roles_from_certificate,
+    extract_unitid_from_certificate,
     get_certificate_expiry,
     get_certificate_serial_number,
     get_crl_info,
@@ -254,6 +256,14 @@ class CertificateManager:
                 x509.BasicConstraints(ca=True, path_length=None), critical=True
             )
+            # Add unitid extension if provided
+            if ca_config.unitid:
+                unitid_extension = x509.UnrecognizedExtension(
+                    oid=x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3"),
+                    value=ca_config.unitid.encode(),
+                )
+                builder = builder.add_extension(unitid_extension, critical=False)
             builder = builder.add_extension(
                 x509.KeyUsage(
                     digital_signature=True,
@@ -325,6 +335,7 @@ class CertificateManager:
                 not_after=get_not_valid_after_utc(certificate),
                 certificate_type=CertificateType.ROOT_CA,
                 key_size=ca_config.key_size,
+                unitid=ca_config.unitid,
             )
             self.logger.info(
@@ -766,6 +777,14 @@ class CertificateManager:
                 )
                 builder = builder.add_extension(permissions_extension, critical=False)
+            # Add unitid extension if provided
+            if client_config.unitid:
+                unitid_extension = x509.UnrecognizedExtension(
+                    oid=x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3"),
+                    value=client_config.unitid.encode(),
+                )
+                builder = builder.add_extension(unitid_extension, critical=False)
             # Create certificate
             certificate = builder.sign(ca_key, hashes.SHA256())
@@ -816,6 +835,7 @@ class CertificateManager:
                 not_after=get_not_valid_after_utc(certificate),
                 certificate_type=CertificateType.CLIENT,
                 key_size=client_config.key_size,
+                unitid=client_config.unitid,
             )
             self.logger.info(

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework/schemas/config.py RENAMED Viewed

@@ -33,6 +33,7 @@ License: MIT
 from enum import Enum
 from pathlib import Path
 from typing import Any, Dict, List, Optional, Union
+import uuid
 from pydantic import BaseModel, Field, field_validator, model_validator
 from pydantic.types import SecretStr
@@ -599,6 +600,21 @@ class CAConfig(BaseModel):
     hash_algorithm: str = Field(
         default="sha256", description="Hash algorithm for signing"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
 class IntermediateCAConfig(CAConfig):
@@ -668,6 +684,21 @@ class ClientCertConfig(BaseModel):
     )
     ca_cert_path: str = Field(..., description="Path to signing CA certificate")
     ca_key_path: str = Field(..., description="Path to signing CA private key")
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
 class ServerCertConfig(ClientCertConfig):

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework/schemas/models.py RENAMED Viewed

@@ -38,6 +38,7 @@ License: MIT
 from datetime import datetime, timedelta, timezone
 from enum import Enum
 from typing import Any, Dict, List, Optional, Set, TypeAlias
+import uuid
 from pydantic import BaseModel, Field, field_validator, model_validator
@@ -140,6 +141,9 @@ class AuthResult(BaseModel):
     metadata: Dict[str, Any] = Field(
         default_factory=dict, description="Additional authentication metadata"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) from certificate"
+    )
     @field_validator("username")
     @classmethod
@@ -149,6 +153,18 @@ class AuthResult(BaseModel):
             raise ValueError("Username cannot be empty")
         return v
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
     @model_validator(mode="after")
     def validate_auth_result(self):
         """Validate authentication result consistency."""
@@ -309,6 +325,9 @@ class CertificateInfo(BaseModel):
     fingerprint_sha256: Optional[str] = Field(
         default=None, description="SHA256 fingerprint"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
     @field_validator("key_size")
     @classmethod
@@ -318,6 +337,18 @@ class CertificateInfo(BaseModel):
             raise ValueError("Key size must be between 512 and 8192 bits")
         return v
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
     @property
     def is_expired(self) -> bool:
         """Check if certificate is expired."""
@@ -424,6 +455,9 @@ class CertificatePair(BaseModel):
     metadata: Dict[str, Any] = Field(
         default_factory=dict, description="Additional certificate metadata"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
     @field_validator("certificate_pem")
     @classmethod
@@ -449,6 +483,18 @@ class CertificatePair(BaseModel):
             raise ValueError("Invalid private key PEM format")
         return v
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
     @property
     def is_expired(self) -> bool:
         """Check if certificate is expired."""

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework/utils/cert_utils.py RENAMED Viewed

@@ -160,6 +160,15 @@ def extract_certificate_info(cert_data: Union[str, bytes, Path]) -> Dict:
         if country:
             info["country"] = country[0].value
+        # Extract unitid
+        try:
+            unitid = extract_unitid_from_certificate(cert_data)
+            if unitid:
+                info["unitid"] = unitid
+        except Exception:
+            # If unitid extraction fails, continue without it
+            pass
         return info
     except Exception as e:
         raise CertificateError(f"Certificate information extraction failed: {str(e)}")
@@ -275,6 +284,51 @@ def extract_permissions_from_certificate(
         raise CertificateError(f"Permission extraction failed: {str(e)}")
+def extract_unitid_from_certificate(
+    cert_data: Union[str, bytes, Path],
+) -> Optional[str]:
+    """
+    Extract unitid from certificate extensions.
+    Args:
+        cert_data: Certificate data as string, bytes, or file path
+    Returns:
+        Unit ID (UUID4) found in certificate, or None if not found
+    Raises:
+        CertificateError: If unitid extraction fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        unitid = None
+        # Check for custom extension with unitid
+        try:
+            unitid_extension = cert.extensions.get_extension_for_oid(
+                x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3")  # Custom unitid OID
+            )
+            if unitid_extension:
+                unitid_data = unitid_extension.value.value
+                if isinstance(unitid_data, bytes):
+                    unitid_str = unitid_data.decode("utf-8")
+                    unitid = unitid_str.strip()
+                    # Validate UUID4 format
+                    try:
+                        import uuid
+                        uuid.UUID(unitid, version=4)
+                    except ValueError:
+                        # Invalid UUID4 format, return None
+                        unitid = None
+        except x509.extensions.ExtensionNotFound:
+            pass
+        return unitid
+    except Exception as e:
+        raise CertificateError(f"Unitid extraction failed: {str(e)}")
 def validate_certificate_chain(
     cert_data: Union[str, bytes, Path],
     ca_cert_data: Union[str, bytes, Path, List[Union[str, bytes, Path]]],

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.2.0
+Version: 1.2.1
 Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/mcp_security_framework.egg-info/SOURCES.txt RENAMED Viewed

@@ -84,4 +84,5 @@ tests/test_utils/__init__.py
 tests/test_utils/test_cert_utils.py
 tests/test_utils/test_crypto_utils.py
 tests/test_utils/test_datetime_compat.py
+tests/test_utils/test_unitid_compat.py
 tests/test_utils/test_validation_utils.py

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "mcp-security-framework"
-version = "1.2.0"
+version = "1.2.1"
 description = "Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations."
 readme = "README.md"
 license = {text = "MIT"}

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.1}/tests/test_core/test_auth_manager.py RENAMED Viewed

@@ -46,7 +46,7 @@ class TestAuthManager:
         # Create test configuration
         self.auth_config = AuthConfig(
-            api_keys={"test_api_key_123": "test_user"},
+            api_keys={"test_user": "test_api_key_123"},
             jwt_secret="test_jwt_secret_key_32_chars_long",
             jwt_expiry_hours=1,
             ca_cert_file=None,
@@ -65,7 +65,7 @@ class TestAuthManager:
         """Test successful AuthManager initialization."""
         assert self.auth_manager.config == self.auth_config
         assert self.auth_manager.permission_manager == self.mock_permission_manager
-        assert self.auth_manager._api_keys == {"test_user": "test_api_key_123"}
+        assert self.auth_manager._api_keys == {"test_api_key_123": "test_user"}
         assert self.auth_manager._jwt_secret == "test_jwt_secret_key_32_chars_long"
         assert isinstance(self.auth_manager._token_cache, dict)
         assert isinstance(self.auth_manager._session_store, dict)
@@ -429,8 +429,8 @@ class TestAuthManager:
         success = self.auth_manager.add_api_key("new_user", "new_api_key_456789")
         assert success is True
-        assert "new_user" in self.auth_manager._api_keys
-        assert self.auth_manager._api_keys["new_user"] == "new_api_key_456789"
+        assert "new_api_key_456789" in self.auth_manager._api_keys
+        assert self.auth_manager._api_keys["new_api_key_456789"] == "new_user"
     def test_add_api_key_invalid_input(self):
         """Test API key addition with invalid input."""
@@ -456,12 +456,12 @@ class TestAuthManager:
         """Test successful API key removal."""
         # Add a key first
         self.auth_manager.add_api_key("temp_user", "temp_key_123456789")
-        assert "temp_user" in self.auth_manager._api_keys
+        assert "temp_key_123456789" in self.auth_manager._api_keys
         # Remove the key
         success = self.auth_manager.remove_api_key("temp_user")
         assert success is True
-        assert "temp_user" not in self.auth_manager._api_keys
+        assert "temp_key_123456789" not in self.auth_manager._api_keys
     def test_remove_api_key_not_found(self):
         """Test API key removal for non-existent user."""

mcp-security-framework 1.2.0__tar.gz → 1.2.1__tar.gz

mcp-security-framework 1.2.0tar.gz → 1.2.1tar.gz