mcp-security-framework 1.2.3__py3-none-any.whl → 1.2.4__py3-none-any.whl

mcp_security_framework/core/permission_manager.py

@@ -26,11 +26,10 @@ License: MIT
 import json
 import logging
 from pathlib import Path
-from typing import Dict, List, Optional, Set
+from typing import Dict, List, Set
 
 from ..schemas.config import PermissionConfig
 from ..schemas.models import ValidationResult, ValidationStatus
-from ..utils.validation_utils import validate_configuration_file
 
 
 class PermissionManager:
@@ -227,10 +226,14 @@ class PermissionManager:
         if not user_roles:
             return set()
 
-        # Validate that all roles exist
-        invalid_roles = [role for role in user_roles if role not in self._roles]
-        if invalid_roles:
-            raise RoleNotFoundError(f"Invalid roles: {invalid_roles}")
+        # Validate that all roles exist (only if roles are loaded)
+        if self._roles:  # Only validate if roles are loaded
+            invalid_roles = [role for role in user_roles if role not in self._roles]
+            if invalid_roles:
+                raise RoleNotFoundError(f"Invalid roles: {invalid_roles}")
+        else:
+            # If no roles are loaded, return empty set for any role
+            return set()
 
         # Create cache key
         cache_key = tuple(sorted(user_roles))
@@ -269,9 +272,15 @@ class PermissionManager:
             RoleNotFoundError: When either role is not found
         """
         if child_role not in self._roles:
+            # If no roles are loaded, return False
+            if not self._roles:
+                return False
             raise RoleNotFoundError(f"Child role not found: {child_role}")
 
         if parent_role not in self._roles:
+            # If no roles are loaded, return False
+            if not self._roles:
+                return False
             raise RoleNotFoundError(f"Parent role not found: {parent_role}")
 
         if child_role == parent_role:
@@ -473,6 +482,9 @@ class PermissionManager:
             RoleNotFoundError: When role is not found in configuration
         """
         if role not in self._roles:
+            # If no roles are loaded, return empty list
+            if not self._roles:
+                return []
             raise RoleNotFoundError(f"Role not found: {role}")
 
         return self._roles[role].get("permissions", []).copy()
@@ -563,6 +575,14 @@ class PermissionManager:
     def _load_roles_configuration(self) -> None:
         """Load roles configuration from file."""
         try:
+            # Handle null or empty roles_file
+            if not self.config.roles_file:
+                self.logger.warning(
+                    "No roles file specified, using empty roles configuration"
+                )
+                self._roles = {}
+                return
+
             roles_file = Path(self.config.roles_file)
 
             if not roles_file.exists():

mcp_security_framework/schemas/config.py

@@ -271,7 +271,8 @@ class CertificateConfig(BaseModel):
         default=False, description="Whether certificate management is enabled"
     )
     ca_creation_mode: bool = Field(
-        default=False, description="Whether we are in CA creation mode (bypasses CA path validation)"
+        default=False,
+        description="Whether we are in CA creation mode (bypasses CA path validation)",
     )
     ca_cert_path: Optional[str] = Field(
         default=None, description="Path to CA certificate"
@@ -390,7 +391,17 @@ class PermissionConfig(BaseModel):
     @classmethod
     def validate_roles_file(cls, v):
         """Validate roles file path."""
-        if v is not None and not Path(v).exists():
+        # Allow None, empty string, null values, or whitespace-only strings
+        if (
+            v is None
+            or v == ""
+            or v == "null"
+            or (isinstance(v, str) and v.strip() == "")
+        ):
+            return None
+
+        # If a path is provided, check if it exists
+        if v and not Path(v).exists():
             raise ValueError(f"Roles file does not exist: {v}")
         return v
 

{mcp_security_framework-1.2.3.dist-info → mcp_security_framework-1.2.4.dist-info}/METADATA

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.2.3
-Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
+Version: 1.2.4
+Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Fixed MCP Proxy Adapter JSON-RPC authentication issue with null roles_file. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 License: MIT

{mcp_security_framework-1.2.3.dist-info → mcp_security_framework-1.2.4.dist-info}/RECORD

@@ -6,7 +6,7 @@ mcp_security_framework/cli/security_cli.py,sha256=Thine_Zzfesz7j29y2k_XZFYUK5YSr
 mcp_security_framework/core/__init__.py,sha256=LiX8_M5qWiTXccJFjSLxup9emhklp-poq57SvznsKEg,1729
 mcp_security_framework/core/auth_manager.py,sha256=GqGAW83Qg1_z2HJ0-FEVTmlli_DBSOPOap2jJMEU1_k,39882
 mcp_security_framework/core/cert_manager.py,sha256=F3rWpqi-YZtaCt3g-KpoqJ1WY22TGaVLEkacKKTrHxw,89094
-mcp_security_framework/core/permission_manager.py,sha256=SADS_oXpwp9MhXHKJMCsvjEq8KWcz7vPYL05Yr-zfio,26478
+mcp_security_framework/core/permission_manager.py,sha256=P6ENqC6sCH4ig_DBfMGALsw-ooRrXJGvQjPyLZrKo9k,27228
 mcp_security_framework/core/rate_limiter.py,sha256=6qjVBxK2YHouSxQuCcbr0PBpRqA5toQss_Ce178RElY,20682
 mcp_security_framework/core/security_manager.py,sha256=mAF-5znqxin-MSSgXISB7t1kTkqHltEqGzzmlLAhRGs,37766
 mcp_security_framework/core/ssl_manager.py,sha256=SXuN5PMTAnMNz04CEKzHbxRKjzF-VqvS-QCFhV-wFeo,29133
@@ -29,7 +29,7 @@ mcp_security_framework/middleware/mtls_middleware.py,sha256=WSyWIk1fCN96hkofODKj
 mcp_security_framework/middleware/rate_limit_middleware.py,sha256=deCwwigI0Pt7pBUnk2jDurI9ZyjujWTsexEWWndXm3g,13177
 mcp_security_framework/middleware/security_middleware.py,sha256=PQ251Fr2UrYVPgGfhXq6QJyqK2tRk0WCIg9_FBvfVkg,16844
 mcp_security_framework/schemas/__init__.py,sha256=lefkbRlbj2ICfasSj51MQ04o3z1YycnbnknSJCFfXbU,2590
-mcp_security_framework/schemas/config.py,sha256=I2bBypkNkE3d8Zv5IPeduggFUfIUA5Pyi56NmT1a_5g,27385
+mcp_security_framework/schemas/config.py,sha256=AQEQ8260ZwP9QpTdmpQ9EbU13P7TEyPAA5B48TWssp8,27687
 mcp_security_framework/schemas/models.py,sha256=Izjy3I55zjMVLsVZpXZ0M4aK3SCks9sC2U1cbxrXYeI,28439
 mcp_security_framework/schemas/responses.py,sha256=nVXaqF5GTSprXTa_wiUEu38nvSw9WAXtKViAJNbO-Xg,23206
 mcp_security_framework/tests/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -47,6 +47,7 @@ tests/test_core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/test_core/test_auth_manager.py,sha256=7Z2DLfJLqKtiwX5Q-lR85hN6NxHbE2Q_FT7IsoyKPQk,22568
 tests/test_core/test_cert_manager.py,sha256=AVaJlWrWTFMO4MqxzVx39QAwB5zbYhVHQwdYUgNNplk,38091
 tests/test_core/test_permission_manager.py,sha256=0XeghWXZqVpKyyRuhuDu1dkLUSwuZaFWkRQxQhkkFVI,14966
+tests/test_core/test_permission_manager_null_roles.py,sha256=ajYFpkWgJqtamOU1eI3HlO0WiMdDpPB8br2rp2VjxCY,10403
 tests/test_core/test_rate_limiter.py,sha256=YzzlhlxZm-A7YGMiIV8LXDA0zmb_6uRF9GRx9s21Q0U,22544
 tests/test_core/test_security_manager.py,sha256=C5uPFALAkitmHbi-L8xF1OyfOmVHQSq1g-PLkwl_LDU,35007
 tests/test_core/test_ssl_manager.py,sha256=Vm_Nw4SoVro_iwPPc_uD9CwzXpVBkGyVH7EqDtHawvU,20362
@@ -69,6 +70,7 @@ tests/test_middleware/test_flask_middleware.py,sha256=JqWr5MknE6AvnUUf2Cr0ME6l_w
 tests/test_middleware/test_security_middleware.py,sha256=J69rVgsnohQp2ucUnGRyWCWZxt6RF2tQ9vQNLFlDXEg,19199
 tests/test_schemas/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/test_schemas/test_config.py,sha256=m0TKYPXKC2QdkVmUc7UPEF3yOANL5Ee1v93DZswSMvk,31347
+tests/test_schemas/test_config_null_roles.py,sha256=xF7d1-moagxWp3TSNERMVrp6g9vzRqR-t9mMgfzK0xI,9491
 tests/test_schemas/test_models.py,sha256=bBeZOPqveuVJuEi_BTVWdVsdj08JXJTEFwvBM4eFRVU,34311
 tests/test_schemas/test_responses.py,sha256=ZSbO7A3ThPBovTXO8PFF-2ONWAjJx2dMOoV2lQIfd8s,40774
 tests/test_schemas/test_serialization.py,sha256=jCugAyrdD6Mw1U7Kxni9oTukarZmMMl6KUcl6cq_NTk,18599
@@ -78,8 +80,8 @@ tests/test_utils/test_crypto_utils.py,sha256=yEb4hzG6-irj2DPoXY0DUboJfbeR87ussgT
 tests/test_utils/test_datetime_compat.py,sha256=n8S4X5HN-_ejSNpgymDXRyZkmxhnyxwwjxFPdX23I40,5656
 tests/test_utils/test_unitid_compat.py,sha256=MWh03A4FwzQyZa20PKHEWz4W03YtARwBOd_1JbABznQ,25544
 tests/test_utils/test_validation_utils.py,sha256=lus_wHJ2WyVnBGQ28S7dSv78uWcCIuLhn5uflJw-uGw,18569
-mcp_security_framework-1.2.3.dist-info/METADATA,sha256=4v-tLjiCOSD0yJE-WcvjV4Ryds0OVQBwlIrECAfzUZ0,11771
-mcp_security_framework-1.2.3.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-mcp_security_framework-1.2.3.dist-info/entry_points.txt,sha256=qBh92fVDmd1m2f3xeW0hTu3Ksg8QfGJyV8UEkdA2itg,142
-mcp_security_framework-1.2.3.dist-info/top_level.txt,sha256=ifUiGrTDcD574MXSOoAN2rp2wpUvWlb4jD9LTUgDWCA,29
-mcp_security_framework-1.2.3.dist-info/RECORD,,
+mcp_security_framework-1.2.4.dist-info/METADATA,sha256=j3FYSacZFO8OwGfkn-B6om8z1ZcATSmUZrGxnIZLDCk,11847
+mcp_security_framework-1.2.4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+mcp_security_framework-1.2.4.dist-info/entry_points.txt,sha256=qBh92fVDmd1m2f3xeW0hTu3Ksg8QfGJyV8UEkdA2itg,142
+mcp_security_framework-1.2.4.dist-info/top_level.txt,sha256=ifUiGrTDcD574MXSOoAN2rp2wpUvWlb4jD9LTUgDWCA,29
+mcp_security_framework-1.2.4.dist-info/RECORD,,

tests/test_core/test_permission_manager_null_roles.py

@@ -0,0 +1,265 @@
+"""
+Tests for PermissionManager with null roles_file
+
+This module contains tests for the PermissionManager when roles_file
+is set to null or None, ensuring graceful handling of this configuration.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import pytest
+from unittest.mock import patch
+from mcp_security_framework.core.permission_manager import PermissionManager
+from mcp_security_framework.schemas.config import PermissionConfig
+from mcp_security_framework.schemas.models import ValidationResult, ValidationStatus
+
+
+class TestPermissionManagerNullRoles:
+    """Test suite for PermissionManager with null roles_file."""
+
+    def test_permission_manager_with_null_roles_file(self):
+        """Test PermissionManager initialization with null roles_file."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Should not raise an exception
+        perm_manager = PermissionManager(config)
+
+        # Should have empty roles
+        assert perm_manager._roles == {}
+
+        # Should be able to validate access with default role
+        result = perm_manager.validate_access(["guest"], ["read:public"])
+        assert isinstance(result, ValidationResult)
+
+    def test_permission_manager_with_empty_roles_file(self):
+        """Test PermissionManager initialization with empty roles_file."""
+        config = PermissionConfig(enabled=True, roles_file="", default_role="guest")
+
+        # Should not raise an exception
+        perm_manager = PermissionManager(config)
+
+        # Should have empty roles
+        assert perm_manager._roles == {}
+
+    def test_permission_manager_with_string_null_roles_file(self):
+        """Test PermissionManager initialization with string 'null' roles_file."""
+        config = PermissionConfig(enabled=True, roles_file="null", default_role="guest")
+
+        # Should not raise an exception
+        perm_manager = PermissionManager(config)
+
+        # Should have empty roles
+        assert perm_manager._roles == {}
+
+    def test_permission_manager_validation_with_empty_roles(self):
+        """Test permission validation when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Test validation with guest role
+        result = perm_manager.validate_access(["guest"], ["read:public"])
+        assert isinstance(result, ValidationResult)
+
+        # Test validation with unknown role
+        result = perm_manager.validate_access(["unknown"], ["read:public"])
+        assert isinstance(result, ValidationResult)
+        assert result.status == ValidationStatus.INVALID
+
+    def test_permission_manager_get_effective_permissions_empty_roles(self):
+        """Test getting effective permissions when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Should return empty set for any role
+        permissions = perm_manager.get_effective_permissions(["guest"])
+        assert permissions == set()
+
+        permissions = perm_manager.get_effective_permissions(["admin"])
+        assert permissions == set()
+
+    def test_permission_manager_export_roles_config_empty(self):
+        """Test exporting roles configuration when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Should export empty configuration
+        exported = perm_manager.export_roles_config()
+        assert "roles" in exported
+        assert exported["roles"] == {}
+        assert "permissions" in exported
+        assert exported["permissions"] == {}
+
+    def test_permission_manager_cache_operations_empty_roles(self):
+        """Test cache operations when no roles are loaded."""
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            permission_cache_enabled=True,
+        )
+
+        perm_manager = PermissionManager(config)
+
+        # Cache operations should work without errors
+        perm_manager.clear_cache()
+        perm_manager.clear_permission_cache()
+
+        # Cache should be empty
+        assert len(perm_manager._permission_cache) == 0
+
+    def test_permission_manager_role_operations_empty_roles(self):
+        """Test role operations when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Role operations should work without errors
+        roles = perm_manager.get_all_roles()
+        assert roles == []
+
+        # Getting role permissions should work (returns empty for unknown roles)
+        permissions = perm_manager.get_role_permissions("test_role")
+        assert permissions == []
+
+    def test_permission_manager_hierarchy_operations_empty_roles(self):
+        """Test hierarchy operations when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Hierarchy operations should work without errors
+        hierarchy = perm_manager.get_role_hierarchy()
+        assert hierarchy == {}
+
+        # Checking hierarchy should work
+        is_hierarchy = perm_manager.check_role_hierarchy("child", "parent")
+        assert is_hierarchy is False
+
+    def test_permission_manager_permission_operations_empty_roles(self):
+        """Test permission operations when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Permission operations should work without errors
+        # Note: get_all_permissions doesn't exist, so we test role permissions instead
+        permissions = perm_manager.get_role_permissions("guest")
+        assert permissions == []
+
+    def test_permission_manager_validation_with_wildcards_empty_roles(self):
+        """Test wildcard permission validation when no roles are loaded."""
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            wildcard_permissions=True,
+        )
+
+        perm_manager = PermissionManager(config)
+
+        # Wildcard validation should work without errors
+        result = perm_manager.validate_access(["guest"], ["*"])
+        assert isinstance(result, ValidationResult)
+
+        result = perm_manager.validate_access(["guest"], ["read:*"])
+        assert isinstance(result, ValidationResult)
+
+    def test_permission_manager_strict_mode_empty_roles(self):
+        """Test strict mode validation when no roles are loaded."""
+        config = PermissionConfig(
+            enabled=True, roles_file=None, default_role="guest", strict_mode=True
+        )
+
+        perm_manager = PermissionManager(config)
+
+        # Strict mode validation should work without errors
+        result = perm_manager.validate_access(["guest"], ["read:public"])
+        assert isinstance(result, ValidationResult)
+
+        result = perm_manager.validate_access(["unknown"], ["read:public"])
+        assert isinstance(result, ValidationResult)
+        assert result.status == ValidationStatus.INVALID
+
+    def test_permission_manager_cache_ttl_empty_roles(self):
+        """Test cache TTL operations when no roles are loaded."""
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            permission_cache_enabled=True,
+            permission_cache_ttl=300,
+        )
+
+        perm_manager = PermissionManager(config)
+
+        # Cache TTL operations should work without errors
+        assert perm_manager._cache_enabled is True
+
+        # Cache should be empty but functional
+        permissions = perm_manager.get_effective_permissions(["guest"])
+        assert permissions == set()
+
+    def test_permission_manager_error_handling_empty_roles(self):
+        """Test error handling when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        perm_manager = PermissionManager(config)
+
+        # Error handling should work without errors
+        try:
+            perm_manager.validate_access([], ["read:public"])
+        except Exception as e:
+            pytest.fail(f"validate_access raised an exception: {e}")
+
+        try:
+            perm_manager.validate_access(["guest"], [])
+        except Exception as e:
+            pytest.fail(f"validate_access raised an exception: {e}")
+
+    def test_permission_manager_logging_empty_roles(self):
+        """Test logging when no roles are loaded."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Should not raise an exception during initialization
+        with patch(
+            "mcp_security_framework.core.permission_manager.logging.getLogger"
+        ) as mock_logger:
+            mock_logger_instance = mock_logger.return_value
+            perm_manager = PermissionManager(config)
+
+            # Should log warning about empty roles configuration
+            mock_logger_instance.warning.assert_called_with(
+                "No roles file specified, using empty roles configuration"
+            )
+
+    def test_permission_manager_integration_empty_roles(self):
+        """Test full integration when no roles are loaded."""
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            permission_cache_enabled=True,
+            wildcard_permissions=True,
+            strict_mode=True,
+        )
+
+        # Should initialize without errors
+        perm_manager = PermissionManager(config)
+
+        # All operations should work
+        assert perm_manager._roles == {}
+        assert perm_manager._hierarchy == {}
+        assert perm_manager._permission_cache == {}
+        assert perm_manager._cache_enabled is True
+
+        # Validation should work
+        result = perm_manager.validate_access(["guest"], ["read:public"])
+        assert isinstance(result, ValidationResult)
+
+        # Cache operations should work
+        perm_manager.clear_cache()
+        assert len(perm_manager._permission_cache) == 0

tests/test_schemas/test_config_null_roles.py

@@ -0,0 +1,252 @@
+"""
+Tests for PermissionConfig with null roles_file
+
+This module contains tests for the PermissionConfig validation
+when roles_file is set to null, None, or empty values.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+
+import pytest
+from mcp_security_framework.schemas.config import PermissionConfig
+
+
+class TestPermissionConfigNullRoles:
+    """Test suite for PermissionConfig with null roles_file."""
+
+    def test_permission_config_with_none_roles_file(self):
+        """Test PermissionConfig with None roles_file."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        assert config.roles_file is None
+        assert config.enabled is True
+        assert config.default_role == "guest"
+
+    def test_permission_config_with_empty_roles_file(self):
+        """Test PermissionConfig with empty string roles_file."""
+        config = PermissionConfig(enabled=True, roles_file="", default_role="guest")
+
+        assert config.roles_file is None
+        assert config.enabled is True
+        assert config.default_role == "guest"
+
+    def test_permission_config_with_string_null_roles_file(self):
+        """Test PermissionConfig with string 'null' roles_file."""
+        config = PermissionConfig(enabled=True, roles_file="null", default_role="guest")
+
+        assert config.roles_file is None
+        assert config.enabled is True
+        assert config.default_role == "guest"
+
+    def test_permission_config_with_valid_roles_file(self):
+        """Test PermissionConfig with valid roles_file."""
+        # Create a temporary file for testing
+        import tempfile
+        import os
+
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as f:
+            f.write('{"roles": {}}')
+            temp_file = f.name
+
+        try:
+            config = PermissionConfig(
+                enabled=True, roles_file=temp_file, default_role="guest"
+            )
+
+            assert config.roles_file == temp_file
+            assert config.enabled is True
+            assert config.default_role == "guest"
+        finally:
+            os.unlink(temp_file)
+
+    def test_permission_config_with_nonexistent_roles_file(self):
+        """Test PermissionConfig with nonexistent roles_file."""
+        with pytest.raises(ValueError, match="Roles file does not exist"):
+            PermissionConfig(
+                enabled=True,
+                roles_file="/nonexistent/path/roles.json",
+                default_role="guest",
+            )
+
+    def test_permission_config_default_values(self):
+        """Test PermissionConfig default values."""
+        config = PermissionConfig()
+
+        assert config.enabled is True
+        assert config.roles_file is None
+        assert config.default_role == "guest"
+        assert config.admin_role == "admin"
+        assert config.role_hierarchy == {}
+        assert config.permission_cache_enabled is True
+        assert config.permission_cache_ttl == 300
+        assert config.wildcard_permissions is False
+        assert config.strict_mode is True
+        assert config.roles is None
+
+    def test_permission_config_with_all_null_values(self):
+        """Test PermissionConfig with all null-like values."""
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            admin_role="admin",
+            role_hierarchy={},
+            permission_cache_enabled=True,
+            permission_cache_ttl=300,
+            wildcard_permissions=False,
+            strict_mode=True,
+            roles=None,
+        )
+
+        assert config.roles_file is None
+        assert config.roles is None
+        assert config.role_hierarchy == {}
+
+    def test_permission_config_validation_edge_cases(self):
+        """Test PermissionConfig validation with edge cases."""
+        # Test with whitespace-only string
+        config = PermissionConfig(enabled=True, roles_file="   ", default_role="guest")
+
+        # Should be treated as empty and converted to None
+        assert config.roles_file is None
+
+    def test_permission_config_with_roles_dict(self):
+        """Test PermissionConfig with inline roles dictionary."""
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            roles={
+                "admin": ["*"],
+                "user": ["read:*", "write:own"],
+                "guest": ["read:public"],
+            },
+        )
+
+        assert config.roles_file is None
+        assert config.roles is not None
+        assert "admin" in config.roles
+        assert "user" in config.roles
+        assert "guest" in config.roles
+
+    def test_permission_config_serialization(self):
+        """Test PermissionConfig serialization with null values."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Should serialize without errors
+        config_dict = config.model_dump()
+        assert "roles_file" in config_dict
+        assert config_dict["roles_file"] is None
+
+        # Should deserialize without errors
+        config_dict["roles_file"] = None
+        new_config = PermissionConfig(**config_dict)
+        assert new_config.roles_file is None
+
+    def test_permission_config_json_serialization(self):
+        """Test PermissionConfig JSON serialization with null values."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Should serialize to JSON without errors
+        json_str = config.model_dump_json()
+        assert "roles_file" in json_str
+        assert "null" in json_str
+
+        # Should deserialize from JSON without errors
+        import json
+
+        config_dict = json.loads(json_str)
+        assert config_dict["roles_file"] is None
+
+    def test_permission_config_validation_chain(self):
+        """Test PermissionConfig validation chain with null values."""
+        # Test that validation works with null values
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,
+            default_role="guest",
+            admin_role="admin",
+            role_hierarchy={},
+            permission_cache_enabled=True,
+            permission_cache_ttl=300,
+            wildcard_permissions=False,
+            strict_mode=True,
+            roles=None,
+        )
+
+        # All validations should pass
+        assert config.enabled is True
+        assert config.roles_file is None
+        assert config.default_role == "guest"
+        assert config.admin_role == "admin"
+        assert config.role_hierarchy == {}
+        assert config.permission_cache_enabled is True
+        assert config.permission_cache_ttl == 300
+        assert config.wildcard_permissions is False
+        assert config.strict_mode is True
+        assert config.roles is None
+
+    def test_permission_config_field_validation(self):
+        """Test PermissionConfig field validation with null values."""
+        # Test that all fields can be set to null/None where appropriate
+        config = PermissionConfig(
+            enabled=True,
+            roles_file=None,  # Can be None
+            default_role="guest",  # Cannot be None
+            admin_role="admin",  # Cannot be None
+            role_hierarchy={},  # Cannot be None, but can be empty
+            permission_cache_enabled=True,  # Cannot be None
+            permission_cache_ttl=300,  # Cannot be None
+            wildcard_permissions=False,  # Cannot be None
+            strict_mode=True,  # Cannot be None
+            roles=None,  # Can be None
+        )
+
+        # All fields should be valid
+        assert config.roles_file is None
+        assert config.roles is None
+        assert config.role_hierarchy == {}
+        assert config.enabled is True
+        assert config.default_role == "guest"
+        assert config.admin_role == "admin"
+        assert config.permission_cache_enabled is True
+        assert config.permission_cache_ttl == 300
+        assert config.wildcard_permissions is False
+        assert config.strict_mode is True
+
+    def test_permission_config_equality(self):
+        """Test PermissionConfig equality with null values."""
+        config1 = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        config2 = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Should be equal
+        assert config1 == config2
+
+        # Test with different null representations
+        config3 = PermissionConfig(enabled=True, roles_file="", default_role="guest")
+
+        # Should be equal (empty string converted to None)
+        assert config1 == config3
+
+    def test_permission_config_copy(self):
+        """Test PermissionConfig copy with null values."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Should copy without errors
+        config_copy = config.model_copy()
+        assert config_copy == config
+        assert config_copy.roles_file is None
+        assert config_copy.default_role == "guest"
+
+    def test_permission_config_mutability(self):
+        """Test PermissionConfig mutability with null values."""
+        config = PermissionConfig(enabled=True, roles_file=None, default_role="guest")
+
+        # Pydantic models are mutable by default
+        config.roles_file = "new_value"
+        assert config.roles_file == "new_value"
+
+        config.default_role = "new_role"
+        assert config.default_role == "new_role"