tunnel-manager 1.0.3__tar.gz → 1.0.5__tar.gz

{tunnel_manager-1.0.3/tunnel_manager.egg-info → tunnel_manager-1.0.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tunnel-manager
-Version: 1.0.3
+Version: 1.0.5
 Summary: Create SSH Tunnels to your remote hosts and host as an MCP Server for Agentic AI!
 Author-email: Audel Rouhi <knucklessg1@gmail.com>
 License: MIT
@@ -12,7 +12,7 @@ Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: fastmcp>=2.11.3
+Requires-Dist: fastmcp>=2.12.4
 Requires-Dist: paramiko>=4.0.0
 Dynamic: license-file
 
@@ -38,7 +38,7 @@ Dynamic: license-file
 ![PyPI - Wheel](https://img.shields.io/pypi/wheel/tunnel-manager)
 ![PyPI - Implementation](https://img.shields.io/pypi/implementation/tunnel-manager)
 
-*Version: 1.0.3*
+*Version: 1.0.5*
 
 This project provides a Python-based `Tunnel` class for secure SSH connections and file transfers, integrated with a FastMCP server (`tunnel_manager_mcp.py`) to expose these capabilities as tools for AI-driven workflows. The implementation supports both standard SSH (e.g., for local networks) and Teleport's secure access platform, leveraging the `paramiko` library for SSH operations.
 
@@ -84,135 +84,49 @@ This project provides a Python-based `Tunnel` class for secure SSH connections a
 <details>
   <summary><b>Usage:</b></summary>
 
-## Tunnel Class
-The `Tunnel` class can be used standalone for SSH operations. Examples:
-
-### Using RSA Keys
-```python
-from tunnel_manager.tunnel_manager import Tunnel
-
-# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
-tunnel = Tunnel(
-    remote_host="192.168.1.10",
-    username="admin",
-    password="mypassword",
-    identity_file="/path/to/id_rsa",
-    certificate_file="/path/to/cert",  # Optional for Teleport
-    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
-    ssh_config_file="~/.ssh/config",
-)
-
-# Connect and run a command
-tunnel.connect()
-out, err = tunnel.run_command("ls -la /tmp")
-print(f"Output: {out}\nError: {err}")
-
-# Upload a file
-tunnel.send_file("/local/file.txt", "/remote/file.txt")
-
-# Download a file
-tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
-
-# Setup passwordless SSH with RSA
-tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_rsa", key_type="rsa")
-
-# Copy SSH config
-tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
-
-# Rotate SSH key with RSA
-tunnel.rotate_ssh_key("/path/to/new_rsa_key", key_type="rsa")
-
-# Close the connection
-tunnel.close()
-```
-
-### Using Ed25519 Keys
-```python
-from tunnel_manager.tunnel_manager import Tunnel
-
-# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
-tunnel = Tunnel(
-    remote_host="192.168.1.10",
-    username="admin",
-    password="mypassword",
-    identity_file="/path/to/id_ed25519",
-    certificate_file="/path/to/cert",  # Optional for Teleport
-    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
-    ssh_config_file="~/.ssh/config",
-)
-
-# Connect and run a command
-tunnel.connect()
-out, err = tunnel.run_command("ls -la /tmp")
-print(f"Output: {out}\nError: {err}")
-
-# Upload a file
-tunnel.send_file("/local/file.txt", "/remote/file.txt")
-
-# Download a file
-tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
-
-# Setup passwordless SSH with Ed25519
-tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_ed25519", key_type="ed25519")
-
-# Copy SSH config
-tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
-
-# Rotate SSH key with Ed25519
-tunnel.rotate_ssh_key("/path/to/new_ed25519_key", key_type="ed25519")
-
-# Close the connection
-tunnel.close()
-```
-
-## Tunnel Manager CLI Usage
-The `tunnel_manager.py` script provides a CLI for managing SSH operations across hosts defined in an Ansible-style YAML inventory file. Below are examples for each command, targeting different inventory groups (`all`, `homelab`, `poweredge`). The CLI now supports both RSA and Ed25519 keys via the `--key-type` flag for relevant commands (default: `ed25519`).
-
-**Inventory File Example (`inventory.yml`)**:
-```yaml
-all:
-  hosts:
-    r510:
-      ansible_host: 192.168.1.10
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
-    r710:
-      ansible_host: 192.168.1.11
-      ansible_user: admin
-      ansible_ssh_pass: mypassword
-    gr1080:
-      ansible_host: 192.168.1.14
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
-homelab:
-  hosts:
-    r510:
-      ansible_host: 192.168.1.10
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
-    r710:
-      ansible_host: 192.168.1.11
-      ansible_user: admin
-      ansible_ssh_pass: mypassword
-    gr1080:
-      ansible_host: 192.168.1.14
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
-poweredge:
-  hosts:
-    r510:
-      ansible_host: 192.168.1.10
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
-    r710:
-      ansible_host: 192.168.1.11
-      ansible_user: admin
-      ansible_ssh_pass: mypassword
-```
+### CLI
+| Short Flag | Long Flag            | Description                                              | Required | Default Value |
+|------------|----------------------|----------------------------------------------------------|----------|---------------|
+| -h         | --help               | Show usage for the script                                | No       | None          |
+|            | --log-file           | Log to specified file (default: console output)           | No       | Console       |
+|            | setup-all            | Setup passwordless SSH for all hosts in inventory         | Yes*     | None          |
+|            | --inventory          | YAML inventory path                                      | Yes      | None          |
+|            | --shared-key-path    | Path to shared private key                               | No       | ~/.ssh/id_shared |
+|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
+|            | --group              | Inventory group to target                                 | No       | all           |
+|            | --parallel           | Run operation in parallel                                | No       | False         |
+|            | --max-threads        | Max threads for parallel execution                       | No       | 5             |
+|            | run-command          | Run a shell command on all hosts in inventory            | Yes*     | None          |
+|            | --remote-command     | Shell command to run                                     | Yes      | None          |
+|            | copy-config          | Copy SSH config to all hosts in inventory                | Yes*     | None          |
+|            | --local-config-path  | Local SSH config path                                    | Yes      | None          |
+|            | --remote-config-path | Remote path for SSH config                               | No       | ~/.ssh/config |
+|            | rotate-key           | Rotate SSH keys for all hosts in inventory               | Yes*     | None          |
+|            | --key-prefix         | Prefix for new key paths (appends hostname)              | No       | ~/.ssh/id_    |
+|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
+|            | send-file            | Upload a file to all hosts in inventory                  | Yes*     | None          |
+|            | --local-path         | Local file path to upload                                | Yes      | None          |
+|            | --remote-path        | Remote destination path                                  | Yes      | None          |
+|            | receive-file         | Download a file from all hosts in inventory              | Yes*     | None          |
+|            | --remote-path        | Remote file path to download                             | Yes      | None          |
+|            | --local-path-prefix  | Local directory path prefix to save files                | Yes      | None          |
 
-Replace IPs, usernames, and passwords with your actual values.
+### Notes
+One of the commands (`setup-all`, `run-command`, `copy-config`, `rotate-key`, `send-file`, `receive-file`) must be specified as the first argument to `tunnel_manager.py`. Each command has required arguments that must be specified with flags:
+- `setup-all`: Requires `--inventory`.
+- `run-command`: Requires `--inventory` and `--remote-command`.
+- `copy-config`: Requires `--inventory` and `--local-config-path`.
+- `rotate-key`: Requires `--inventory`.
+- `send-file`: Requires `--inventory`, `--local-path`, and `--remote-path`.
+- `receive-file`: Requires `--inventory`, `--remote-path`, and `--local-path-prefix`.
 
-### CLI Commands
+### Additional Notes
+- Ensure `ansible_host` values in `inventory.yml` are resolvable IPs or hostnames.
+- Update `ansible_ssh_private_key_file` in the inventory after running `rotate-key`.
+- Use `--log-file` for file-based logging or omit for console output.
+- The `--parallel` option speeds up operations but may overload resources; adjust `--max-threads` as needed.
+- The `receive-file` command saves files to `local_path_prefix/<hostname>/<filename>` to preserve original filenames and avoid conflicts.
+- Ed25519 keys are recommended for better security and performance over RSA, but RSA is supported for compatibility with older systems.
 
 #### 1. Setup Passwordless SSH
 Set up passwordless SSH for hosts in the inventory, distributing a shared key. Use `--key-type` to specify RSA or Ed25519 (default: ed25519).
@@ -304,70 +218,267 @@ Download a file from all hosts in the specified group, saving to host-specific s
   tunnel-manager --log-file download_poweredge.log receive-file --inventory inventory.yml --remote-path /home/user/myfile.txt --local-path-prefix ./downloads --group poweredge
   ```
 
-### CLI Command Table
-| Short Flag | Long Flag            | Description                                              | Required | Default Value |
-|------------|----------------------|----------------------------------------------------------|----------|---------------|
-| -h         | --help               | Show usage for the script                                | No       | None          |
-|            | --log-file           | Log to specified file (default: console output)           | No       | Console       |
-|            | setup-all            | Setup passwordless SSH for all hosts in inventory         | Yes*     | None          |
-|            | --inventory          | YAML inventory path                                      | Yes      | None          |
-|            | --shared-key-path    | Path to shared private key                               | No       | ~/.ssh/id_shared |
-|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
-|            | --group              | Inventory group to target                                 | No       | all           |
-|            | --parallel           | Run operation in parallel                                | No       | False         |
-|            | --max-threads        | Max threads for parallel execution                       | No       | 5             |
-|            | run-command          | Run a shell command on all hosts in inventory            | Yes*     | None          |
-|            | --remote-command     | Shell command to run                                     | Yes      | None          |
-|            | copy-config          | Copy SSH config to all hosts in inventory                | Yes*     | None          |
-|            | --local-config-path  | Local SSH config path                                    | Yes      | None          |
-|            | --remote-config-path | Remote path for SSH config                               | No       | ~/.ssh/config |
-|            | rotate-key           | Rotate SSH keys for all hosts in inventory               | Yes*     | None          |
-|            | --key-prefix         | Prefix for new key paths (appends hostname)              | No       | ~/.ssh/id_    |
-|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
-|            | send-file            | Upload a file to all hosts in inventory                  | Yes*     | None          |
-|            | --local-path         | Local file path to upload                                | Yes      | None          |
-|            | --remote-path        | Remote destination path                                  | Yes      | None          |
-|            | receive-file         | Download a file from all hosts in inventory              | Yes*     | None          |
-|            | --remote-path        | Remote file path to download                             | Yes      | None          |
-|            | --local-path-prefix  | Local directory path prefix to save files                | Yes      | None          |
+### Tunnel Manager Inventory
 
-### Notes
-One of the commands (`setup-all`, `run-command`, `copy-config`, `rotate-key`, `send-file`, `receive-file`) must be specified as the first argument to `tunnel_manager.py`. Each command has required arguments that must be specified with flags:
-- `setup-all`: Requires `--inventory`.
-- `run-command`: Requires `--inventory` and `--remote-command`.
-- `copy-config`: Requires `--inventory` and `--local-config-path`.
-- `rotate-key`: Requires `--inventory`.
-- `send-file`: Requires `--inventory`, `--local-path`, and `--remote-path`.
-- `receive-file`: Requires `--inventory`, `--remote-path`, and `--local-path-prefix`.
+**Inventory File Example (`inventory.yml`)**:
 
-### Additional Notes
-- Ensure `ansible_host` values in `inventory.yml` are resolvable IPs or hostnames.
-- Update `ansible_ssh_private_key_file` in the inventory after running `rotate-key`.
-- Use `--log-file` for file-based logging or omit for console output.
-- The `--parallel` option speeds up operations but may overload resources; adjust `--max-threads` as needed.
-- The `receive-file` command saves files to `local_path_prefix/<hostname>/<filename>` to preserve original filenames and avoid conflicts.
-- Ed25519 keys are recommended for better security and performance over RSA, but RSA is supported for compatibility with older systems.
+```yaml
+all:
+  hosts:
+    r510:
+      ansible_host: 192.168.1.10
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
+    r710:
+      ansible_host: 192.168.1.11
+      ansible_user: admin
+      ansible_ssh_pass: mypassword
+    gr1080:
+      ansible_host: 192.168.1.14
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
+homelab:
+  hosts:
+    r510:
+      ansible_host: 192.168.1.10
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
+    r710:
+      ansible_host: 192.168.1.11
+      ansible_user: admin
+      ansible_ssh_pass: mypassword
+    gr1080:
+      ansible_host: 192.168.1.14
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
+poweredge:
+  hosts:
+    r510:
+      ansible_host: 192.168.1.10
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
+    r710:
+      ansible_host: 192.168.1.11
+      ansible_user: admin
+      ansible_ssh_pass: mypassword
+```
+
+Replace IPs, usernames, and passwords with your actual values.
 
-## FastMCP Server
-The FastMCP server exposes the `Tunnel` functionality as AI-accessible tools. Start the server with:
 
+### MCP CLI
+
+| Short Flag | Long Flag                          | Description                                                                 |
+|------------|------------------------------------|-----------------------------------------------------------------------------|
+| -h         | --help                             | Display help information                                                    |
+| -t         | --transport                        | Transport method: 'stdio', 'http', or 'sse' [legacy] (default: stdio)       |
+| -s         | --host                             | Host address for HTTP transport (default: 0.0.0.0)                          |
+| -p         | --port                             | Port number for HTTP transport (default: 8000)                              |
+|            | --auth-type                        | Authentication type: 'none', 'static', 'jwt', 'oauth-proxy', 'oidc-proxy', 'remote-oauth' (default: none) |
+|            | --token-jwks-uri                   | JWKS URI for JWT verification                                              |
+|            | --token-issuer                     | Issuer for JWT verification                                                |
+|            | --token-audience                   | Audience for JWT verification                                              |
+|            | --oauth-upstream-auth-endpoint     | Upstream authorization endpoint for OAuth Proxy                             |
+|            | --oauth-upstream-token-endpoint    | Upstream token endpoint for OAuth Proxy                                    |
+|            | --oauth-upstream-client-id         | Upstream client ID for OAuth Proxy                                         |
+|            | --oauth-upstream-client-secret     | Upstream client secret for OAuth Proxy                                     |
+|            | --oauth-base-url                   | Base URL for OAuth Proxy                                                   |
+|            | --oidc-config-url                  | OIDC configuration URL                                                     |
+|            | --oidc-client-id                   | OIDC client ID                                                             |
+|            | --oidc-client-secret               | OIDC client secret                                                         |
+|            | --oidc-base-url                    | Base URL for OIDC Proxy                                                    |
+|            | --remote-auth-servers              | Comma-separated list of authorization servers for Remote OAuth             |
+|            | --remote-base-url                  | Base URL for Remote OAuth                                                  |
+|            | --allowed-client-redirect-uris     | Comma-separated list of allowed client redirect URIs                       |
+|            | --eunomia-type                     | Eunomia authorization type: 'none', 'embedded', 'remote' (default: none)   |
+|            | --eunomia-policy-file              | Policy file for embedded Eunomia (default: mcp_policies.json)              |
+|            | --eunomia-remote-url               | URL for remote Eunomia server                                              |
+
+### Using as an MCP Server
+
+The MCP Server can be run in two modes: `stdio` (for local testing) or `http` (for networked access). To start the server, use the following commands:
+
+#### Run in stdio mode (default):
 ```bash
-python tunnel_manager_mcp.py --transport stdio
+tunnel-manager-mcp --transport "stdio"
 ```
 
-Or for HTTP transport:
+#### Run in HTTP mode:
 ```bash
-python tunnel_manager_mcp.py --transport http --host 127.0.0.1 --port 8080
+tunnel-manager-mcp --transport "http"  --host "0.0.0.0"  --port "8000"
 ```
 
-</details>
+### Tunnel Class
+The `Tunnel` class can be used standalone for SSH operations. Examples:
 
-<details>
-  <summary><b>Installation Instructions:</b></summary>
+#### Using RSA Keys
+```python
+from tunnel_manager.tunnel_manager import Tunnel
 
-## Use with AI
+# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
+tunnel = Tunnel(
+    remote_host="192.168.1.10",
+    username="admin",
+    password="mypassword",
+    identity_file="/path/to/id_rsa",
+    certificate_file="/path/to/cert",  # Optional for Teleport
+    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
+    ssh_config_file="~/.ssh/config",
+)
+
+# Connect and run a command
+tunnel.connect()
+out, err = tunnel.run_command("ls -la /tmp")
+print(f"Output: {out}\nError: {err}")
+
+# Upload a file
+tunnel.send_file("/local/file.txt", "/remote/file.txt")
+
+# Download a file
+tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
+
+# Setup passwordless SSH with RSA
+tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_rsa", key_type="rsa")
+
+# Copy SSH config
+tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
+
+# Rotate SSH key with RSA
+tunnel.rotate_ssh_key("/path/to/new_rsa_key", key_type="rsa")
+
+# Close the connection
+tunnel.close()
+```
+
+#### Using Ed25519 Keys
+```python
+from tunnel_manager.tunnel_manager import Tunnel
+
+# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
+tunnel = Tunnel(
+    remote_host="192.168.1.10",
+    username="admin",
+    password="mypassword",
+    identity_file="/path/to/id_ed25519",
+    certificate_file="/path/to/cert",  # Optional for Teleport
+    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
+    ssh_config_file="~/.ssh/config",
+)
+
+# Connect and run a command
+tunnel.connect()
+out, err = tunnel.run_command("ls -la /tmp")
+print(f"Output: {out}\nError: {err}")
+
+# Upload a file
+tunnel.send_file("/local/file.txt", "/remote/file.txt")
+
+# Download a file
+tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
+
+# Setup passwordless SSH with Ed25519
+tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_ed25519", key_type="ed25519")
+
+# Copy SSH config
+tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
+
+# Rotate SSH key with Ed25519
+tunnel.rotate_ssh_key("/path/to/new_ed25519_key", key_type="ed25519")
+
+# Close the connection
+tunnel.close()
+```
+
+### Deploy MCP Server as a Service
+
+The MCP server can be deployed using Docker, with configurable authentication, middleware, and Eunomia authorization.
+
+#### Using Docker Run
+
+```bash
+docker pull knucklessg1/tunnel-manager:latest
+
+docker run -d \
+  --name tunnel-manager-mcp \
+  -p 8004:8004 \
+  -e HOST=0.0.0.0 \
+  -e PORT=8004 \
+  -e TRANSPORT=http \
+  -e AUTH_TYPE=none \
+  -e EUNOMIA_TYPE=none \
+  knucklessg1/tunnel-manager:latest
+```
+
+For advanced authentication (e.g., JWT, OAuth Proxy, OIDC Proxy, Remote OAuth) or Eunomia, add the relevant environment variables:
+
+```bash
+docker run -d \
+  --name tunnel-manager-mcp \
+  -p 8004:8004 \
+  -e HOST=0.0.0.0 \
+  -e PORT=8004 \
+  -e TRANSPORT=http \
+  -e AUTH_TYPE=oidc-proxy \
+  -e OIDC_CONFIG_URL=https://provider.com/.well-known/openid-configuration \
+  -e OIDC_CLIENT_ID=your-client-id \
+  -e OIDC_CLIENT_SECRET=your-client-secret \
+  -e OIDC_BASE_URL=https://your-server.com \
+  -e ALLOWED_CLIENT_REDIRECT_URIS=http://localhost:*,https://*.example.com/* \
+  -e EUNOMIA_TYPE=embedded \
+  -e EUNOMIA_POLICY_FILE=/app/mcp_policies.json \
+  knucklessg1/tunnel-manager:latest
+```
+
+#### Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+  tunnel-manager-mcp:
+    image: knucklessg1/tunnel-manager:latest
+    environment:
+      - HOST=0.0.0.0
+      - PORT=8004
+      - TRANSPORT=http
+      - AUTH_TYPE=none
+      - EUNOMIA_TYPE=none
+    ports:
+      - 8004:8004
+```
+
+For advanced setups with authentication and Eunomia:
+
+```yaml
+services:
+  tunnel-manager-mcp:
+    image: knucklessg1/tunnel-manager:latest
+    environment:
+      - HOST=0.0.0.0
+      - PORT=8004
+      - TRANSPORT=http
+      - AUTH_TYPE=oidc-proxy
+      - OIDC_CONFIG_URL=https://provider.com/.well-known/openid-configuration
+      - OIDC_CLIENT_ID=your-client-id
+      - OIDC_CLIENT_SECRET=your-client-secret
+      - OIDC_BASE_URL=https://your-server.com
+      - ALLOWED_CLIENT_REDIRECT_URIS=http://localhost:*,https://*.example.com/*
+      - EUNOMIA_TYPE=embedded
+      - EUNOMIA_POLICY_FILE=/app/mcp_policies.json
+    ports:
+      - 8004:8004
+    volumes:
+      - ./mcp_policies.json:/app/mcp_policies.json
+```
+
+Run the service:
+
+```bash
+docker-compose up -d
+```
+
+#### Configure `mcp.json` for AI Integration
 
-Configure `mcp.json`
 ```json
 {
   "mcpServers": {
@@ -398,23 +509,10 @@ Configure `mcp.json`
   }
 }
 ```
+</details>
 
-### Deploy MCP Server as a Container
-```bash
-docker pull knucklessg1/tunnel-manager:latest
-```
-
-Modify the `compose.yml`
-```yaml
-services:
-  tunnel-manager:
-    image: knucklessg1/tunnel-manager:latest
-    environment:
-      - HOST=0.0.0.0
-      - PORT=8021
-    ports:
-      - 8021:8021
-```
+<details>
+  <summary><b>Installation Instructions:</b></summary>
 
 ### Install Python Package
 ```bash