rootly-mcp-server 2.0.14__py3-none-any.whl → 2.1.0__py3-none-any.whl

rootly_mcp_server/__init__.py

@@ -8,13 +8,17 @@ Features:
 - Automatic tool generation from Swagger spec
 - Authentication via ROOTLY_API_TOKEN environment variable
 - Default pagination (10 items) for incidents endpoints to prevent context window overflow
+- Comprehensive security: HTTPS enforcement, input sanitization, rate limiting
+- Structured logging with correlation IDs and metrics collection
+- Custom exception hierarchy for better error handling
+- Input validation and sensitive data masking
 """
 
-from .server import RootlyMCPServer
 from .client import RootlyClient
+from .server import RootlyMCPServer
 
-__version__ = "2.0.12"
+__version__ = "2.1.0"
 __all__ = [
-    'RootlyMCPServer',
-    'RootlyClient',
-] 
+    "RootlyMCPServer",
+    "RootlyClient",
+]

rootly_mcp_server/__main__.py

@@ -10,14 +10,15 @@ import logging
 import os
 import sys
 from pathlib import Path
+
+from .exceptions import RootlyConfigurationError, RootlyMCPError
+from .security import validate_api_token
 from .server import create_rootly_mcp_server
 
 
 def parse_args():
     """Parse command-line arguments."""
-    parser = argparse.ArgumentParser(
-        description="Start the Rootly MCP server for API integration."
-    )
+    parser = argparse.ArgumentParser(description="Start the Rootly MCP server for API integration.")
     parser.add_argument(
         "--swagger-path",
         type=str,
@@ -76,44 +77,47 @@ def setup_logging(log_level, debug=False):
     """Set up logging configuration."""
     if debug or os.getenv("DEBUG", "").lower() in ("true", "1", "yes"):
         log_level = "DEBUG"
-    
+
     numeric_level = getattr(logging, log_level.upper(), None)
     if not isinstance(numeric_level, int):
         raise ValueError(f"Invalid log level: {log_level}")
-    
+
     # Configure root logger
     logging.basicConfig(
         level=numeric_level,
         format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
         handlers=[logging.StreamHandler(sys.stderr)],  # Log to stderr for stdio transport
     )
-    
+
     # Set specific logger levels
     logging.getLogger("rootly_mcp_server").setLevel(numeric_level)
     logging.getLogger("mcp").setLevel(numeric_level)
-    
+
     # Log the configuration
     logger = logging.getLogger(__name__)
     logger.info(f"Logging configured with level: {log_level}")
     logger.debug(f"Python version: {sys.version}")
     logger.debug(f"Current directory: {Path.cwd()}")
-    logger.debug(f"Environment variables: {', '.join([f'{k}={v[:3]}...' if k.endswith('TOKEN') else f'{k}={v}' for k, v in os.environ.items() if k.startswith('ROOTLY_') or k in ['DEBUG']])}")
+    # SECURITY: Never log actual token values or prefixes
+    logger.debug(
+        f"Environment variables configured: {', '.join([k for k in os.environ.keys() if k.startswith('ROOTLY_') or k in ['DEBUG']])}"
+    )
 
 
 def check_api_token():
-    """Check if the Rootly API token is set."""
+    """Check if the Rootly API token is set and valid."""
     logger = logging.getLogger(__name__)
-    
-    api_token = os.environ.get("ROOTLY_API_TOKEN")
-    if not api_token:
-        logger.error("ROOTLY_API_TOKEN environment variable is not set.")
-        print("Error: ROOTLY_API_TOKEN environment variable is not set.", file=sys.stderr)
+
+    try:
+        api_token = os.environ.get("ROOTLY_API_TOKEN")
+        validate_api_token(api_token)
+        # SECURITY: Never log token values or prefixes
+        logger.info("ROOTLY_API_TOKEN is configured and valid")
+    except RootlyConfigurationError as e:
+        logger.error(str(e))
+        print(f"Error: {e}", file=sys.stderr)
         print("Please set it with: export ROOTLY_API_TOKEN='your-api-token-here'", file=sys.stderr)
         sys.exit(1)
-    else:
-        logger.info("ROOTLY_API_TOKEN is set")
-        # Log the first few characters of the token for debugging
-        logger.debug(f"Token starts with: {api_token[:5]}...")
 
 
 # Create the server instance for FastMCP CLI (follows quickstart pattern)
@@ -124,13 +128,13 @@ def get_server():
     server_name = os.getenv("ROOTLY_SERVER_NAME", "Rootly")
     hosted = os.getenv("ROOTLY_HOSTED", "false").lower() in ("true", "1", "yes")
     base_url = os.getenv("ROOTLY_BASE_URL")
-    
+
     # Parse allowed paths from environment variable
     allowed_paths = None
     allowed_paths_env = os.getenv("ROOTLY_ALLOWED_PATHS")
     if allowed_paths_env:
         allowed_paths = [path.strip() for path in allowed_paths_env.split(",")]
-    
+
     # Create and return the server
     return create_rootly_mcp_server(
         swagger_path=swagger_path,
@@ -149,26 +153,26 @@ def main():
     """Main entry point for the Rootly MCP Server."""
     args = parse_args()
     setup_logging(args.log_level, args.debug)
-    
+
     logger = logging.getLogger(__name__)
     logger.info("Starting Rootly MCP Server")
-    
+
     # Handle backward compatibility for --host argument
     hosted_mode = args.hosted
     if args.host:
         logger.warning("--host argument is deprecated, use --hosted instead")
         hosted_mode = True
-    
+
     # Only check API token if not in hosted mode
     if not hosted_mode:
         check_api_token()
-    
+
     try:
         # Parse allowed paths from command line argument
         allowed_paths = None
         if args.allowed_paths:
             allowed_paths = [path.strip() for path in args.allowed_paths.split(",")]
-        
+
         logger.info(f"Initializing server with name: {args.name}")
         server = create_rootly_mcp_server(
             swagger_path=args.swagger_path,
@@ -177,18 +181,29 @@ def main():
             hosted=hosted_mode,
             base_url=args.base_url,
         )
-        
+
         logger.info(f"Running server with transport: {args.transport}...")
         server.run(transport=args.transport)
-        
+
     except FileNotFoundError as e:
         logger.error(f"File not found: {e}")
         print(f"Error: {e}", file=sys.stderr)
         sys.exit(1)
-    except Exception as e:
-        logger.error(f"Failed to start server: {e}", exc_info=True)
+    except RootlyConfigurationError as e:
+        logger.error(f"Configuration error: {e}")
+        print(f"Configuration Error: {e}", file=sys.stderr)
+        sys.exit(1)
+    except RootlyMCPError as e:
+        logger.error(f"Rootly MCP error: {e}", exc_info=True)
         print(f"Error: {e}", file=sys.stderr)
         sys.exit(1)
+    except KeyboardInterrupt:
+        logger.info("Server stopped by user")
+        sys.exit(0)
+    except Exception as e:
+        logger.error(f"Unexpected error: {e}", exc_info=True)
+        print(f"Unexpected Error: {e}", file=sys.stderr)
+        sys.exit(1)
 
 
 if __name__ == "__main__":

rootly_mcp_server/client.py

@@ -2,39 +2,58 @@
 Rootly API client for making authenticated requests to the Rootly API.
 """
 
-import os
 import json
-import logging
+from typing import Any
+
 import requests
-from typing import Optional, Dict, Any
 
-# Set up logger
-logger = logging.getLogger(__name__)
+from .exceptions import (
+    RootlyAuthenticationError,
+    RootlyAuthorizationError,
+    RootlyClientError,
+    RootlyNetworkError,
+    RootlyServerError,
+    RootlyTimeoutError,
+    categorize_exception,
+)
+from .monitoring import StructuredLogger
+from .security import (
+    enforce_https,
+    get_api_token_from_env,
+    sanitize_error_message,
+    validate_url,
+)
+
+# Set up structured logger
+logger = StructuredLogger(__name__)
 
 
 class RootlyClient:
-    def __init__(self, base_url: Optional[str] = None, hosted: bool = False):
-        self.base_url = base_url or "https://api.rootly.com"
+    def __init__(self, base_url: str | None = None, hosted: bool = False):
+        # Enforce HTTPS for security
+        if base_url:
+            self.base_url = enforce_https(base_url)
+        else:
+            self.base_url = "https://api.rootly.com"
+
         self.hosted = hosted
         if not self.hosted:
             self._api_token = self._get_api_token()
-        logger.debug(f"Initialized RootlyClient with base_url: {self.base_url}")
+
+        logger.info("Initialized RootlyClient", base_url=self.base_url, hosted=hosted)
 
     def _get_api_token(self) -> str:
-        """Get the API token from environment variables."""
-        api_token = os.getenv("ROOTLY_API_TOKEN")
-        if not api_token:
-            raise ValueError("ROOTLY_API_TOKEN environment variable is not set")
-        return api_token
+        """Get the API token from environment variables with validation."""
+        return get_api_token_from_env()
 
     def make_request(
         self,
         method: str,
         path: str,
-        query_params: Optional[Dict[str, Any]] = None,
-        json_data: Optional[Dict[str, Any]] = None,
-        json_api_type: Optional[str] = None,
-        api_token: Optional[str] = None,
+        query_params: dict[str, Any] | None = None,
+        json_data: dict[str, Any] | None = None,
+        json_api_type: str | None = None,
+        api_token: str | None = None,
     ) -> str:
         """
         Make an authenticated request to the Rootly API.
@@ -45,13 +64,20 @@ class RootlyClient:
             query_params: Query parameters for the request.
             json_data: JSON data for the request body.
             json_api_type: If set, use JSON-API format and this type value.
+            api_token: Optional API token (for hosted mode).
 
         Returns:
             The API response as a JSON string.
+
+        Raises:
+            RootlyAuthenticationError: If authentication fails
+            RootlyNetworkError: If network issues occur
+            RootlyServerError: If API returns 5xx error
+            RootlyClientError: If API returns 4xx error
         """
         if self.hosted:
             if not api_token:
-                return json.dumps({"error": "No API token provided"})
+                raise RootlyAuthenticationError("No API token provided")
         else:
             api_token = self._api_token
 
@@ -81,10 +107,10 @@ class RootlyClient:
 
         url = f"{self.base_url}{path}"
 
-        logger.debug(f"Making {method} request to {url}")
-        logger.debug(f"Headers: {headers}")
-        logger.debug(f"Query params: {query_params}")
-        logger.debug(f"JSON data: {json_data}")
+        # Validate URL for security
+        validate_url(url, allowed_domains=["api.rootly.com", "rootly.com"])
+
+        logger.debug("Making API request", method=method, url=url)
 
         try:
             response = requests.request(
@@ -93,40 +119,68 @@ class RootlyClient:
                 headers=headers,
                 params=query_params,
                 json=json_data,
-                timeout=30,  # Add a timeout to prevent hanging
+                timeout=30,
             )
 
-            # Log the response status and headers
-            logger.debug(f"Response status: {response.status_code}")
-            logger.debug(f"Response headers: {response.headers}")
+            logger.debug("Received API response", status_code=response.status_code)
 
             # Try to parse the response as JSON
             try:
                 response_json = response.json()
-                logger.debug(
-                    f"Response parsed as JSON: {json.dumps(response_json)[:200]}..."
-                )
                 response.raise_for_status()
                 return json.dumps(response_json, indent=2)
             except ValueError:
                 # If the response is not JSON, return the text
-                logger.debug(f"Response is not JSON: {response.text[:200]}...")
                 response.raise_for_status()
                 return json.dumps({"text": response.text}, indent=2)
 
+        except requests.exceptions.Timeout as e:
+            logger.error("Request timed out", exc_info=e)
+            raise RootlyTimeoutError("Request timed out after 30 seconds")
+
+        except requests.exceptions.ConnectionError as e:
+            logger.error("Connection error", exc_info=e)
+            raise RootlyNetworkError(f"Failed to connect to {self.base_url}")
+
+        except requests.exceptions.HTTPError as e:
+            status_code = e.response.status_code if e.response else None
+
+            # Sanitize error message to remove stack traces
+            error_msg = sanitize_error_message(str(e))
+
+            logger.error("HTTP error", status_code=status_code, error=error_msg)
+
+            # Categorize HTTP errors
+            if status_code == 401:
+                raise RootlyAuthenticationError(f"Authentication failed: {error_msg}")
+            elif status_code == 403:
+                raise RootlyAuthorizationError(f"Access forbidden: {error_msg}")
+            elif status_code == 429:
+                from .exceptions import RootlyRateLimitError
+
+                raise RootlyRateLimitError(f"Rate limit exceeded: {error_msg}")
+            elif status_code is not None and 400 <= status_code < 500:
+                raise RootlyClientError(
+                    f"Client error ({status_code}): {error_msg}", status_code=status_code
+                )
+            elif status_code is not None and 500 <= status_code < 600:
+                raise RootlyServerError(
+                    f"Server error ({status_code}): {error_msg}", status_code=status_code
+                )
+            else:
+                raise RootlyNetworkError(f"HTTP error: {error_msg}")
+
         except requests.exceptions.RequestException as e:
-            logger.error(f"Request failed: {e}")
-            error_response = {"error": str(e)}
-
-            # Add response details if available
-            if hasattr(e, "response") and e.response is not None:
-                try:
-                    error_response["status_code"] = str(e.response.status_code)
-                    error_response["response_text"] = e.response.text
-                except Exception:
-                    pass
-
-            return json.dumps(error_response, indent=2)
+            # Sanitize error message
+            error_msg = sanitize_error_message(str(e))
+            logger.error("Request failed", exc_info=e)
+
+            # Try to categorize the exception
+            exception_class, message = categorize_exception(e)
+            raise exception_class(message)
+
         except Exception as e:
-            logger.error(f"Unexpected error: {e}")
-            return json.dumps({"error": f"Unexpected error: {str(e)}"}, indent=2)
+            # Sanitize error message for unexpected errors
+            error_msg = sanitize_error_message(str(e))
+            logger.error("Unexpected error", exc_info=e)
+            raise RootlyNetworkError(f"Unexpected error: {error_msg}")

rootly_mcp_server/data/__init__.py

@@ -1,4 +1,4 @@
 """
 Data package containing resources for Rootly MCP Server.
 This package includes the OpenAPI (Swagger) specification for the Rootly API.
-""" 
+"""

rootly_mcp_server/exceptions.py

@@ -0,0 +1,148 @@
+"""
+Custom exception classes for the Rootly MCP Server.
+
+This module defines specific exception types for better error handling
+and debugging throughout the application.
+"""
+
+
+class RootlyMCPError(Exception):
+    """Base exception for all Rootly MCP Server errors."""
+
+    def __init__(self, message: str, details: dict | None = None):
+        super().__init__(message)
+        self.message = message
+        self.details = details or {}
+
+
+class RootlyAuthenticationError(RootlyMCPError):
+    """Raised when API authentication fails."""
+
+    pass
+
+
+class RootlyAuthorizationError(RootlyMCPError):
+    """Raised when the user lacks permissions for the requested resource."""
+
+    pass
+
+
+class RootlyNetworkError(RootlyMCPError):
+    """Raised when network connectivity issues occur."""
+
+    pass
+
+
+class RootlyTimeoutError(RootlyNetworkError):
+    """Raised when a request times out."""
+
+    pass
+
+
+class RootlyValidationError(RootlyMCPError):
+    """Raised when input validation fails."""
+
+    pass
+
+
+class RootlyRateLimitError(RootlyMCPError):
+    """Raised when API rate limits are exceeded."""
+
+    def __init__(self, message: str, retry_after: int | None = None, details: dict | None = None):
+        super().__init__(message, details)
+        self.retry_after = retry_after
+
+
+class RootlyAPIError(RootlyMCPError):
+    """Raised when the Rootly API returns an error response."""
+
+    def __init__(self, message: str, status_code: int | None = None, details: dict | None = None):
+        super().__init__(message, details)
+        self.status_code = status_code
+
+
+class RootlyServerError(RootlyAPIError):
+    """Raised when the Rootly API returns a 5xx server error."""
+
+    pass
+
+
+class RootlyClientError(RootlyAPIError):
+    """Raised when the Rootly API returns a 4xx client error."""
+
+    pass
+
+
+class RootlyConfigurationError(RootlyMCPError):
+    """Raised when there's a configuration error (e.g., missing API token)."""
+
+    pass
+
+
+class RootlyResourceNotFoundError(RootlyClientError):
+    """Raised when a requested resource is not found (404)."""
+
+    pass
+
+
+def categorize_exception(exception: Exception) -> tuple[type[RootlyMCPError], str]:
+    """
+    Categorize a generic exception into a specific Rootly exception type.
+
+    Args:
+        exception: The exception to categorize
+
+    Returns:
+        Tuple of (exception_class, error_message)
+    """
+    error_str = str(exception).lower()
+    exception_type = type(exception).__name__.lower()
+
+    # Authentication errors (401)
+    if any(
+        keyword in error_str
+        for keyword in ["401", "unauthorized", "authentication failed", "invalid token"]
+    ):
+        return RootlyAuthenticationError, f"Authentication failed: {exception}"
+
+    # Authorization errors (403)
+    if any(
+        keyword in error_str
+        for keyword in ["403", "forbidden", "permission denied", "access denied"]
+    ):
+        return RootlyAuthorizationError, f"Authorization failed: {exception}"
+
+    # Rate limit errors (429)
+    if any(keyword in error_str for keyword in ["429", "rate limit", "too many requests"]):
+        return RootlyRateLimitError, f"Rate limit exceeded: {exception}"
+
+    # Resource not found (404)
+    if any(keyword in error_str for keyword in ["404", "not found"]):
+        return RootlyResourceNotFoundError, f"Resource not found: {exception}"
+
+    # Client errors (4xx)
+    if any(keyword in error_str for keyword in ["400", "bad request", "invalid"]):
+        return RootlyClientError, f"Client error: {exception}"
+
+    # Server errors (5xx)
+    if any(keyword in error_str for keyword in ["500", "502", "503", "504", "server error"]):
+        return RootlyServerError, f"Server error: {exception}"
+
+    # Timeout errors
+    if any(keyword in exception_type for keyword in ["timeout", "timedout"]):
+        return RootlyTimeoutError, f"Request timed out: {exception}"
+
+    # Network/Connection errors
+    if any(keyword in exception_type for keyword in ["connection", "network"]):
+        return RootlyNetworkError, f"Network error: {exception}"
+
+    # Validation errors
+    if any(keyword in exception_type for keyword in ["validation", "pydantic", "field"]):
+        return RootlyValidationError, f"Validation error: {exception}"
+
+    # Configuration errors
+    if any(keyword in error_str for keyword in ["not set", "missing", "configuration"]):
+        return RootlyConfigurationError, f"Configuration error: {exception}"
+
+    # Default to generic API error
+    return RootlyAPIError, f"API error: {exception}"