mcp-security-framework 1.2.0__tar.gz → 1.2.2__tar.gz

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.2.0
+Version: 1.2.2
 Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework/__init__.py

@@ -71,7 +71,7 @@ from mcp_security_framework.schemas.responses import (
 )
 
 # Version information
-__version__ = "0.1.0"
+__version__ = "1.2.2"
 __author__ = "Vasiliy Zdanovskiy"
 __email__ = "vasilyvz@gmail.com"
 __license__ = "MIT"

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework/core/auth_manager.py

@@ -38,6 +38,7 @@ from ..schemas.models import AuthResult, AuthStatus, ValidationResult
 from ..utils.cert_utils import (
     extract_permissions_from_certificate,
     extract_roles_from_certificate,
+    extract_unitid_from_certificate,
     parse_certificate,
     validate_certificate_chain,
 )
@@ -124,20 +125,21 @@ class AuthManager:
         self.logger = logging.getLogger(__name__)
 
         # Initialize storage
-        # Convert API keys from "key": "user" format to "user": "key" format
+        # Store API keys in format: {"api_key": "username"}
         # or handle new format "key": {"username": "user", "roles": ["role1", "role2"]}
         if config.api_keys:
             self._api_keys = {}
             self._api_key_metadata = {}
             for key, value in config.api_keys.items():
                 if isinstance(value, str):
-                    # Old format: "key": "user"
+                    # Old format: "username": "api_key" -> store as {"api_key": "username"}
                     self._api_keys[value] = key
                 elif isinstance(value, dict):
-                    # New format: "key": {"username": "user", "roles": ["role1", "role2"]}
+                    # New format: "username": {"api_key": "key", "roles": ["role1", "role2"]}
+                    api_key = value.get("api_key", key)
                     username = value.get("username", key)
-                    self._api_keys[username] = key
-                    self._api_key_metadata[key] = value
+                    self._api_keys[api_key] = username
+                    self._api_key_metadata[api_key] = value
                 else:
                     self.logger.warning(
                         f"Invalid API key format for key {key}: {value}"
@@ -253,7 +255,7 @@ class AuthManager:
             # Find user by API key
             username = None
             user_roles = []
-            for user, api_key_in_config in self._api_keys.items():
+            for api_key_in_config, user in self._api_keys.items():
                 if api_key_in_config == api_key:
                     username = user
                     # Check if we have metadata for this API key
@@ -625,6 +627,16 @@ class AuthManager:
                 )
                 roles = []
 
+            # Extract unitid from certificate
+            unitid = None
+            try:
+                unitid = extract_unitid_from_certificate(cert_pem)
+            except Exception as e:
+                self.logger.warning(
+                    "Failed to extract unitid from certificate",
+                    extra={"username": username, "error": str(e)},
+                )
+
             # Validate certificate chain if CA is configured
             if self.config.ca_cert_file:
                 try:
@@ -656,6 +668,7 @@ class AuthManager:
                 auth_method="certificate",
                 auth_timestamp=datetime.now(timezone.utc),
                 token_expiry=get_not_valid_after_utc(cert),
+                unitid=unitid,
             )
 
             self.logger.info(
@@ -861,7 +874,7 @@ class AuthManager:
             if not validate_api_key_format(api_key):
                 return False
 
-            self._api_keys[username] = api_key
+            self._api_keys[api_key] = username
 
             self.logger.info("API key added for user", extra={"username": username})
 
@@ -884,8 +897,15 @@ class AuthManager:
             bool: True if API key was removed successfully, False otherwise
         """
         try:
-            if username in self._api_keys:
-                del self._api_keys[username]
+            # Find API key for the username and remove it
+            api_key_to_remove = None
+            for api_key, user in self._api_keys.items():
+                if user == username:
+                    api_key_to_remove = api_key
+                    break
+            
+            if api_key_to_remove:
+                del self._api_keys[api_key_to_remove]
 
                 self.logger.info(
                     "API key removed for user", extra={"username": username}

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework/core/cert_manager.py

@@ -29,6 +29,7 @@ License: MIT
 
 import logging
 import os
+import uuid
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Dict, List, Optional, Tuple, Union
@@ -54,6 +55,7 @@ from mcp_security_framework.schemas.models import (
 from mcp_security_framework.utils.cert_utils import (
     extract_permissions_from_certificate,
     extract_roles_from_certificate,
+    extract_unitid_from_certificate,
     get_certificate_expiry,
     get_certificate_serial_number,
     get_crl_info,
@@ -254,6 +256,14 @@ class CertificateManager:
                 x509.BasicConstraints(ca=True, path_length=None), critical=True
             )
 
+            # Add unitid extension if provided
+            if ca_config.unitid:
+                unitid_extension = x509.UnrecognizedExtension(
+                    oid=x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3"),
+                    value=ca_config.unitid.encode(),
+                )
+                builder = builder.add_extension(unitid_extension, critical=False)
+
             builder = builder.add_extension(
                 x509.KeyUsage(
                     digital_signature=True,
@@ -325,6 +335,7 @@ class CertificateManager:
                 not_after=get_not_valid_after_utc(certificate),
                 certificate_type=CertificateType.ROOT_CA,
                 key_size=ca_config.key_size,
+                unitid=ca_config.unitid,
             )
 
             self.logger.info(
@@ -766,6 +777,14 @@ class CertificateManager:
                 )
                 builder = builder.add_extension(permissions_extension, critical=False)
 
+            # Add unitid extension if provided
+            if client_config.unitid:
+                unitid_extension = x509.UnrecognizedExtension(
+                    oid=x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3"),
+                    value=client_config.unitid.encode(),
+                )
+                builder = builder.add_extension(unitid_extension, critical=False)
+
             # Create certificate
             certificate = builder.sign(ca_key, hashes.SHA256())
 
@@ -816,6 +835,7 @@ class CertificateManager:
                 not_after=get_not_valid_after_utc(certificate),
                 certificate_type=CertificateType.CLIENT,
                 key_size=client_config.key_size,
+                unitid=client_config.unitid,
             )
 
             self.logger.info(

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework/schemas/config.py

@@ -33,6 +33,7 @@ License: MIT
 from enum import Enum
 from pathlib import Path
 from typing import Any, Dict, List, Optional, Union
+import uuid
 
 from pydantic import BaseModel, Field, field_validator, model_validator
 from pydantic.types import SecretStr
@@ -246,8 +247,12 @@ class CertificateConfig(BaseModel):
     This model defines certificate management configuration settings
     including CA settings, certificate storage, and validation options.
 
+    BUGFIX: Added ca_creation_mode to allow CA certificate creation
+    without requiring existing CA paths.
+
     Attributes:
         enabled: Whether certificate management is enabled
+        ca_creation_mode: Whether we are in CA creation mode (bypasses CA path validation)
         ca_cert_path: Path to CA certificate
         ca_key_path: Path to CA private key
         cert_storage_path: Path for certificate storage
@@ -265,6 +270,9 @@ class CertificateConfig(BaseModel):
     enabled: bool = Field(
         default=False, description="Whether certificate management is enabled"
     )
+    ca_creation_mode: bool = Field(
+        default=False, description="Whether we are in CA creation mode (bypasses CA path validation)"
+    )
     ca_cert_path: Optional[str] = Field(
         default=None, description="Path to CA certificate"
     )
@@ -316,10 +324,13 @@ class CertificateConfig(BaseModel):
     def validate_certificate_configuration(self):
         """Validate certificate configuration consistency."""
         if self.enabled:
-            if not self.ca_cert_path or not self.ca_key_path:
-                raise ValueError(
-                    "Certificate management enabled but CA certificate and key paths are required"
-                )
+            # BUGFIX: Only require CA paths if not in CA creation mode
+            if not self.ca_creation_mode:
+                if not self.ca_cert_path or not self.ca_key_path:
+                    raise ValueError(
+                        "Certificate management enabled but CA certificate and key paths are required. "
+                        "Set ca_creation_mode=True if you are creating a CA certificate."
+                    )
 
         if self.crl_enabled and not self.crl_path:
             raise ValueError("CRL enabled but CRL path is required")
@@ -599,6 +610,21 @@ class CAConfig(BaseModel):
     hash_algorithm: str = Field(
         default="sha256", description="Hash algorithm for signing"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
+
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
 
 
 class IntermediateCAConfig(CAConfig):
@@ -668,6 +694,21 @@ class ClientCertConfig(BaseModel):
     )
     ca_cert_path: str = Field(..., description="Path to signing CA certificate")
     ca_key_path: str = Field(..., description="Path to signing CA private key")
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
+
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
 
 
 class ServerCertConfig(ClientCertConfig):

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework/schemas/models.py

@@ -38,6 +38,7 @@ License: MIT
 from datetime import datetime, timedelta, timezone
 from enum import Enum
 from typing import Any, Dict, List, Optional, Set, TypeAlias
+import uuid
 
 from pydantic import BaseModel, Field, field_validator, model_validator
 
@@ -140,6 +141,9 @@ class AuthResult(BaseModel):
     metadata: Dict[str, Any] = Field(
         default_factory=dict, description="Additional authentication metadata"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) from certificate"
+    )
 
     @field_validator("username")
     @classmethod
@@ -149,6 +153,18 @@ class AuthResult(BaseModel):
             raise ValueError("Username cannot be empty")
         return v
 
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
+
     @model_validator(mode="after")
     def validate_auth_result(self):
         """Validate authentication result consistency."""
@@ -309,6 +325,9 @@ class CertificateInfo(BaseModel):
     fingerprint_sha256: Optional[str] = Field(
         default=None, description="SHA256 fingerprint"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
 
     @field_validator("key_size")
     @classmethod
@@ -318,6 +337,18 @@ class CertificateInfo(BaseModel):
             raise ValueError("Key size must be between 512 and 8192 bits")
         return v
 
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
+
     @property
     def is_expired(self) -> bool:
         """Check if certificate is expired."""
@@ -424,6 +455,9 @@ class CertificatePair(BaseModel):
     metadata: Dict[str, Any] = Field(
         default_factory=dict, description="Additional certificate metadata"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
 
     @field_validator("certificate_pem")
     @classmethod
@@ -449,6 +483,18 @@ class CertificatePair(BaseModel):
             raise ValueError("Invalid private key PEM format")
         return v
 
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
+
     @property
     def is_expired(self) -> bool:
         """Check if certificate is expired."""

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework/utils/cert_utils.py

@@ -160,6 +160,15 @@ def extract_certificate_info(cert_data: Union[str, bytes, Path]) -> Dict:
         if country:
             info["country"] = country[0].value
 
+        # Extract unitid
+        try:
+            unitid = extract_unitid_from_certificate(cert_data)
+            if unitid:
+                info["unitid"] = unitid
+        except Exception:
+            # If unitid extraction fails, continue without it
+            pass
+
         return info
     except Exception as e:
         raise CertificateError(f"Certificate information extraction failed: {str(e)}")
@@ -275,6 +284,51 @@ def extract_permissions_from_certificate(
         raise CertificateError(f"Permission extraction failed: {str(e)}")
 
 
+def extract_unitid_from_certificate(
+    cert_data: Union[str, bytes, Path],
+) -> Optional[str]:
+    """
+    Extract unitid from certificate extensions.
+
+    Args:
+        cert_data: Certificate data as string, bytes, or file path
+
+    Returns:
+        Unit ID (UUID4) found in certificate, or None if not found
+
+    Raises:
+        CertificateError: If unitid extraction fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        unitid = None
+
+        # Check for custom extension with unitid
+        try:
+            unitid_extension = cert.extensions.get_extension_for_oid(
+                x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3")  # Custom unitid OID
+            )
+            if unitid_extension:
+                unitid_data = unitid_extension.value.value
+                if isinstance(unitid_data, bytes):
+                    unitid_str = unitid_data.decode("utf-8")
+                    unitid = unitid_str.strip()
+                    
+                    # Validate UUID4 format
+                    try:
+                        import uuid
+                        uuid.UUID(unitid, version=4)
+                    except ValueError:
+                        # Invalid UUID4 format, return None
+                        unitid = None
+        except x509.extensions.ExtensionNotFound:
+            pass
+
+        return unitid
+    except Exception as e:
+        raise CertificateError(f"Unitid extraction failed: {str(e)}")
+
+
 def validate_certificate_chain(
     cert_data: Union[str, bytes, Path],
     ca_cert_data: Union[str, bytes, Path, List[Union[str, bytes, Path]]],

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.2.0
+Version: 1.2.2
 Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/mcp_security_framework.egg-info/SOURCES.txt

@@ -84,4 +84,5 @@ tests/test_utils/__init__.py
 tests/test_utils/test_cert_utils.py
 tests/test_utils/test_crypto_utils.py
 tests/test_utils/test_datetime_compat.py
+tests/test_utils/test_unitid_compat.py
 tests/test_utils/test_validation_utils.py

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mcp-security-framework"
-version = "1.2.0"
+version = "1.2.2"
 description = "Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations."
 readme = "README.md"
 license = {text = "MIT"}

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/tests/test_core/test_auth_manager.py

@@ -46,7 +46,7 @@ class TestAuthManager:
 
         # Create test configuration
         self.auth_config = AuthConfig(
-            api_keys={"test_api_key_123": "test_user"},
+            api_keys={"test_user": "test_api_key_123"},
             jwt_secret="test_jwt_secret_key_32_chars_long",
             jwt_expiry_hours=1,
             ca_cert_file=None,
@@ -65,7 +65,7 @@ class TestAuthManager:
         """Test successful AuthManager initialization."""
         assert self.auth_manager.config == self.auth_config
         assert self.auth_manager.permission_manager == self.mock_permission_manager
-        assert self.auth_manager._api_keys == {"test_user": "test_api_key_123"}
+        assert self.auth_manager._api_keys == {"test_api_key_123": "test_user"}
         assert self.auth_manager._jwt_secret == "test_jwt_secret_key_32_chars_long"
         assert isinstance(self.auth_manager._token_cache, dict)
         assert isinstance(self.auth_manager._session_store, dict)
@@ -429,8 +429,8 @@ class TestAuthManager:
         success = self.auth_manager.add_api_key("new_user", "new_api_key_456789")
 
         assert success is True
-        assert "new_user" in self.auth_manager._api_keys
-        assert self.auth_manager._api_keys["new_user"] == "new_api_key_456789"
+        assert "new_api_key_456789" in self.auth_manager._api_keys
+        assert self.auth_manager._api_keys["new_api_key_456789"] == "new_user"
 
     def test_add_api_key_invalid_input(self):
         """Test API key addition with invalid input."""
@@ -456,12 +456,12 @@ class TestAuthManager:
         """Test successful API key removal."""
         # Add a key first
         self.auth_manager.add_api_key("temp_user", "temp_key_123456789")
-        assert "temp_user" in self.auth_manager._api_keys
+        assert "temp_key_123456789" in self.auth_manager._api_keys
 
         # Remove the key
         success = self.auth_manager.remove_api_key("temp_user")
         assert success is True
-        assert "temp_user" not in self.auth_manager._api_keys
+        assert "temp_key_123456789" not in self.auth_manager._api_keys
 
     def test_remove_api_key_not_found(self):
         """Test API key removal for non-existent user."""

{mcp_security_framework-1.2.0 → mcp_security_framework-1.2.2}/tests/test_schemas/test_config.py

@@ -195,6 +195,7 @@ class TestCertificateConfig:
         config = CertificateConfig()
 
         assert config.enabled is False
+        assert config.ca_creation_mode is False
         assert config.ca_cert_path is None
         assert config.ca_key_path is None
         assert config.cert_storage_path == "./certs"
@@ -217,6 +218,7 @@ class TestCertificateConfig:
             "Certificate management enabled but CA certificate and key paths are required"
             in str(exc_info.value)
         )
+        assert "ca_creation_mode=True" in str(exc_info.value)
 
     def test_certificate_config_crl_enabled_without_path(self):
         """Test CertificateConfig validation when CRL enabled without path."""
@@ -272,6 +274,54 @@ class TestCertificateConfig:
         with pytest.raises(ValidationError):
             CertificateConfig(default_validity_days=3651)
 
+    def test_certificate_config_ca_creation_mode(self):
+        """Test CertificateConfig with CA creation mode enabled."""
+        config = CertificateConfig(
+            enabled=True,
+            ca_creation_mode=True,
+            cert_storage_path="./certs",
+            key_storage_path="./keys"
+        )
+
+        assert config.enabled is True
+        assert config.ca_creation_mode is True
+        assert config.ca_cert_path is None
+        assert config.ca_key_path is None
+        assert config.cert_storage_path == "./certs"
+        assert config.key_storage_path == "./keys"
+
+    def test_certificate_config_ca_creation_mode_with_ca_paths(self):
+        """Test CertificateConfig with CA creation mode and CA paths (should work)."""
+        config = CertificateConfig(
+            enabled=True,
+            ca_creation_mode=True,
+            ca_cert_path="./certs/ca.crt",
+            ca_key_path="./keys/ca.key",
+            cert_storage_path="./certs",
+            key_storage_path="./keys"
+        )
+
+        assert config.enabled is True
+        assert config.ca_creation_mode is True
+        assert config.ca_cert_path == "./certs/ca.crt"
+        assert config.ca_key_path == "./keys/ca.key"
+
+    def test_certificate_config_normal_mode_with_ca_paths(self):
+        """Test CertificateConfig in normal mode with CA paths."""
+        config = CertificateConfig(
+            enabled=True,
+            ca_creation_mode=False,
+            ca_cert_path="./certs/ca.crt",
+            ca_key_path="./keys/ca.key",
+            cert_storage_path="./certs",
+            key_storage_path="./keys"
+        )
+
+        assert config.enabled is True
+        assert config.ca_creation_mode is False
+        assert config.ca_cert_path == "./certs/ca.crt"
+        assert config.ca_key_path == "./keys/ca.key"
+
 
 class TestPermissionConfig:
     """Test suite for PermissionConfig class."""