workspace-mcp 1.1.7__py3-none-any.whl → 1.1.9__py3-none-any.whl

auth/oauth21/tokens.py

@@ -0,0 +1,392 @@
+"""
+Token Validator
+
+Validates and parses Bearer tokens, supporting both JWT and opaque token formats.
+Implements token introspection per RFC7662 for opaque tokens.
+"""
+
+import logging
+from typing import Dict, Any, Optional, List
+from datetime import datetime, timezone
+
+import aiohttp
+import jwt
+from cachetools import TTLCache
+
+from .discovery import AuthorizationServerDiscovery
+
+logger = logging.getLogger(__name__)
+
+
+class TokenValidationError(Exception):
+    """Exception raised when token validation fails."""
+    
+    def __init__(self, message: str, error_code: str = "invalid_token"):
+        super().__init__(message)
+        self.error_code = error_code
+
+
+class TokenValidator:
+    """Validates and parses Bearer tokens."""
+
+    def __init__(
+        self,
+        discovery_service: Optional[AuthorizationServerDiscovery] = None,
+        cache_ttl: int = 300,  # 5 minutes
+        max_cache_size: int = 1000,
+    ):
+        """
+        Initialize the token validator.
+
+        Args:
+            discovery_service: Authorization server discovery service
+            cache_ttl: Token validation cache TTL in seconds
+            max_cache_size: Maximum number of cached validations
+        """
+        self.discovery = discovery_service or AuthorizationServerDiscovery()
+        self.validation_cache = TTLCache(maxsize=max_cache_size, ttl=cache_ttl)
+        self.jwks_cache = TTLCache(maxsize=10, ttl=3600)  # 1 hour for JWKS
+        self._session: Optional[aiohttp.ClientSession] = None
+
+    async def _get_session(self) -> aiohttp.ClientSession:
+        """Get or create HTTP session."""
+        if self._session is None or self._session.closed:
+            self._session = aiohttp.ClientSession(
+                timeout=aiohttp.ClientTimeout(total=30),
+                headers={"User-Agent": "MCP-OAuth2.1-Client/1.0"},
+            )
+        return self._session
+
+    async def close(self):
+        """Clean up resources."""
+        if self._session and not self._session.closed:
+            await self._session.close()
+        await self.discovery.close()
+
+    def _is_jwt_format(self, token: str) -> bool:
+        """
+        Check if token appears to be in JWT format.
+
+        Args:
+            token: Token to check
+
+        Returns:
+            True if token appears to be JWT
+        """
+        # JWT has 3 parts separated by dots
+        parts = token.split('.')
+        return len(parts) == 3
+
+    async def validate_token(
+        self,
+        token: str,
+        expected_audience: Optional[str] = None,
+        required_scopes: Optional[List[str]] = None,
+        authorization_server_url: Optional[str] = None,
+    ) -> Dict[str, Any]:
+        """
+        Validate token and extract claims.
+
+        Args:
+            token: Bearer token to validate
+            expected_audience: Expected audience claim
+            required_scopes: Required scopes
+            authorization_server_url: Authorization server URL for introspection
+
+        Returns:
+            Dictionary containing validated token information
+
+        Raises:
+            TokenValidationError: If token validation fails
+        """
+        # Check cache first
+        cache_key = f"token:{hash(token)}:{expected_audience}:{','.join(required_scopes or [])}"
+        if cache_key in self.validation_cache:
+            logger.debug("Using cached token validation result")
+            return self.validation_cache[cache_key]
+
+        try:
+            if self._is_jwt_format(token):
+                result = await self._validate_jwt_token(token, expected_audience, required_scopes)
+            else:
+                result = await self._validate_opaque_token(
+                    token, expected_audience, required_scopes, authorization_server_url
+                )
+            
+            # Cache successful validation
+            self.validation_cache[cache_key] = result
+            return result
+            
+        except Exception as e:
+            if isinstance(e, TokenValidationError):
+                raise
+            else:
+                logger.error(f"Unexpected error validating token: {e}")
+                raise TokenValidationError(f"Token validation failed: {str(e)}")
+
+    async def _validate_jwt_token(
+        self,
+        token: str,
+        expected_audience: Optional[str] = None,
+        required_scopes: Optional[List[str]] = None,
+    ) -> Dict[str, Any]:
+        """Validate JWT token."""
+        try:
+            # First decode without verification to get issuer and key ID
+            unverified_payload = jwt.decode(token, options={"verify_signature": False})
+            issuer = unverified_payload.get("iss")
+            
+            if not issuer:
+                raise TokenValidationError("JWT missing issuer claim")
+
+            # Get JWKS for signature verification
+            jwks = await self._fetch_jwks(issuer)
+            
+            # Decode and verify the JWT
+            payload = jwt.decode(
+                token,
+                key=jwks,
+                algorithms=["RS256", "ES256"],
+                audience=expected_audience,
+                issuer=issuer,
+                options={
+                    "verify_exp": True,
+                    "verify_aud": expected_audience is not None,
+                    "verify_iss": True,
+                }
+            )
+            
+            # Extract user identity
+            user_identity = self.extract_user_identity(payload)
+            
+            # Validate scopes if required
+            if required_scopes:
+                token_scopes = self._extract_scopes_from_jwt(payload)
+                if not self._validate_scopes(token_scopes, required_scopes):
+                    raise TokenValidationError(
+                        f"Insufficient scope. Required: {required_scopes}, Got: {token_scopes}",
+                        error_code="insufficient_scope"
+                    )
+            
+            return {
+                "valid": True,
+                "token_type": "jwt",
+                "user_identity": user_identity,
+                "scopes": self._extract_scopes_from_jwt(payload),
+                "expires_at": payload.get("exp"),
+                "issuer": issuer,
+                "audience": payload.get("aud"),
+                "claims": payload,
+            }
+            
+        except jwt.ExpiredSignatureError:
+            raise TokenValidationError("JWT token has expired", error_code="invalid_token")
+        except jwt.InvalidAudienceError:
+            raise TokenValidationError("JWT audience mismatch", error_code="invalid_token")
+        except jwt.InvalidIssuerError:
+            raise TokenValidationError("JWT issuer invalid", error_code="invalid_token")
+        except jwt.InvalidSignatureError:
+            raise TokenValidationError("JWT signature verification failed", error_code="invalid_token")
+        except jwt.InvalidTokenError as e:
+            raise TokenValidationError(f"Invalid JWT token: {str(e)}", error_code="invalid_token")
+
+    async def _validate_opaque_token(
+        self,
+        token: str,
+        expected_audience: Optional[str] = None,
+        required_scopes: Optional[List[str]] = None,
+        authorization_server_url: Optional[str] = None,
+    ) -> Dict[str, Any]:
+        """Validate opaque token via introspection."""
+        if not authorization_server_url:
+            # Try to determine from discovery
+            servers = await self.discovery.discover_authorization_servers()
+            if servers:
+                authorization_server_url = servers[0].get("issuer")
+            
+            if not authorization_server_url:
+                raise TokenValidationError("No authorization server URL for token introspection")
+
+        introspection_result = await self.introspect_opaque_token(token, authorization_server_url)
+        
+        if not introspection_result.get("active", False):
+            raise TokenValidationError("Token is not active", error_code="invalid_token")
+
+        # Validate audience if provided
+        if expected_audience:
+            token_audience = introspection_result.get("aud")
+            if token_audience and token_audience != expected_audience:
+                raise TokenValidationError("Token audience mismatch", error_code="invalid_token")
+
+        # Validate scopes if required
+        if required_scopes:
+            token_scopes = introspection_result.get("scope", "").split()
+            if not self._validate_scopes(token_scopes, required_scopes):
+                raise TokenValidationError(
+                    f"Insufficient scope. Required: {required_scopes}, Got: {token_scopes}",
+                    error_code="insufficient_scope"
+                )
+
+        # Extract user identity
+        user_identity = self.extract_user_identity(introspection_result)
+
+        return {
+            "valid": True,
+            "token_type": "opaque",
+            "user_identity": user_identity,
+            "scopes": token_scopes if required_scopes else introspection_result.get("scope", "").split(),
+            "expires_at": introspection_result.get("exp"),
+            "issuer": introspection_result.get("iss"),
+            "audience": introspection_result.get("aud"),
+            "claims": introspection_result,
+        }
+
+    async def introspect_opaque_token(
+        self,
+        token: str,
+        authorization_server_url: str,
+    ) -> Dict[str, Any]:
+        """
+        Query authorization server for opaque token details per RFC7662.
+
+        Args:
+            token: Opaque token to introspect
+            authorization_server_url: Authorization server URL
+
+        Returns:
+            Token introspection response
+
+        Raises:
+            TokenValidationError: If introspection fails
+        """
+        # Get authorization server metadata
+        as_metadata = await self.discovery.get_authorization_server_metadata(authorization_server_url)
+        introspection_endpoint = as_metadata.get("introspection_endpoint")
+        
+        if not introspection_endpoint:
+            raise TokenValidationError("Authorization server does not support token introspection")
+
+        session = await self._get_session()
+        
+        try:
+            # Prepare introspection request
+            data = {"token": token}
+            headers = {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Accept": "application/json",
+            }
+
+            async with session.post(introspection_endpoint, data=data, headers=headers) as response:
+                if response.status != 200:
+                    raise TokenValidationError(f"Token introspection failed: {response.status}")
+                
+                result = await response.json()
+                logger.debug("Token introspection completed")
+                return result
+                
+        except aiohttp.ClientError as e:
+            raise TokenValidationError(f"Failed to introspect token: {str(e)}")
+
+    def extract_user_identity(self, token_payload: Dict[str, Any]) -> str:
+        """
+        Extract user email/identity from validated token.
+
+        Args:
+            token_payload: Validated token payload/claims
+
+        Returns:
+            User email or identifier
+
+        Raises:
+            TokenValidationError: If no user identity found
+        """
+        # Try different claim names for user identity
+        identity_claims = ["email", "sub", "preferred_username", "upn", "unique_name"]
+        
+        for claim in identity_claims:
+            value = token_payload.get(claim)
+            if value:
+                # Prefer email-like identities
+                if "@" in str(value):
+                    return str(value)
+                elif claim == "email":  # Email claim should be email
+                    return str(value)
+        
+        # Fallback to first available identity claim
+        for claim in identity_claims:
+            value = token_payload.get(claim)
+            if value:
+                return str(value)
+        
+        raise TokenValidationError("No user identity found in token", error_code="invalid_token")
+
+    async def _fetch_jwks(self, issuer: str) -> Dict[str, Any]:
+        """Fetch and cache JWKS from authorization server."""
+        cache_key = f"jwks:{issuer}"
+        if cache_key in self.jwks_cache:
+            return self.jwks_cache[cache_key]
+
+        # Get JWKS URI from metadata
+        as_metadata = await self.discovery.get_authorization_server_metadata(issuer)
+        jwks_uri = as_metadata.get("jwks_uri")
+        
+        if not jwks_uri:
+            raise TokenValidationError(f"No JWKS URI found for issuer {issuer}")
+
+        session = await self._get_session()
+        
+        try:
+            async with session.get(jwks_uri) as response:
+                if response.status != 200:
+                    raise TokenValidationError(f"Failed to fetch JWKS: {response.status}")
+                
+                jwks = await response.json()
+                self.jwks_cache[cache_key] = jwks
+                logger.debug(f"Fetched JWKS from {jwks_uri}")
+                return jwks
+                
+        except aiohttp.ClientError as e:
+            raise TokenValidationError(f"Failed to fetch JWKS: {str(e)}")
+
+    def _extract_scopes_from_jwt(self, payload: Dict[str, Any]) -> List[str]:
+        """Extract scopes from JWT payload."""
+        # Try different scope claim formats
+        scope_claim = payload.get("scope") or payload.get("scp")
+        
+        if isinstance(scope_claim, str):
+            return scope_claim.split()
+        elif isinstance(scope_claim, list):
+            return scope_claim
+        else:
+            return []
+
+    def _validate_scopes(self, token_scopes: List[str], required_scopes: List[str]) -> bool:
+        """Check if token has all required scopes."""
+        token_scope_set = set(token_scopes)
+        required_scope_set = set(required_scopes)
+        return required_scope_set.issubset(token_scope_set)
+
+    def is_token_expired(self, token_info: Dict[str, Any]) -> bool:
+        """
+        Check if token is expired.
+
+        Args:
+            token_info: Token information from validation
+
+        Returns:
+            True if token is expired
+        """
+        exp = token_info.get("expires_at")
+        if not exp:
+            return False  # No expiration info
+        
+        try:
+            if isinstance(exp, (int, float)):
+                exp_time = datetime.fromtimestamp(exp, tz=timezone.utc)
+            else:
+                exp_time = datetime.fromisoformat(str(exp))
+            
+            return datetime.now(timezone.utc) >= exp_time
+        except (ValueError, TypeError):
+            logger.warning(f"Invalid expiration time format: {exp}")
+            return False

auth/oauth_callback_server.py

@@ -172,7 +172,7 @@ class MinimalOAuthServer:
                 self.server_thread.join(timeout=3.0)
 
             self.is_running = False
-            logger.info(f"Minimal OAuth server stopped")
+            logger.info("Minimal OAuth server stopped")
 
         except Exception as e:
             logger.error(f"Error stopping minimal OAuth server: {e}", exc_info=True)

auth/service_decorator.py

@@ -6,10 +6,6 @@ from datetime import datetime, timedelta
 
 from google.auth.exceptions import RefreshError
 from auth.google_auth import get_authenticated_google_service, GoogleAuthenticationError
-
-logger = logging.getLogger(__name__)
-
-# Import scope constants
 from auth.scopes import (
     GMAIL_READONLY_SCOPE, GMAIL_SEND_SCOPE, GMAIL_COMPOSE_SCOPE, GMAIL_MODIFY_SCOPE, GMAIL_LABELS_SCOPE,
     DRIVE_READONLY_SCOPE, DRIVE_FILE_SCOPE,
@@ -22,6 +18,8 @@ from auth.scopes import (
     TASKS_SCOPE, TASKS_READONLY_SCOPE
 )
 
+logger = logging.getLogger(__name__)
+
 # Service configuration mapping
 SERVICE_CONFIGS = {
     "gmail": {"service": "gmail", "version": "v1"},
@@ -391,7 +389,6 @@ def clear_service_cache(user_email: Optional[str] = None) -> int:
 
 def get_cache_stats() -> Dict[str, Any]:
     """Get service cache statistics."""
-    now = datetime.now()
     valid_entries = 0
     expired_entries = 0
 

core/comments.py

@@ -7,10 +7,7 @@ All Google Workspace apps (Docs, Sheets, Slides) use the Drive API for comment o
 
 import logging
 import asyncio
-from typing import Dict, Any
 
-from mcp import types
-from googleapiclient.errors import HttpError
 
 from auth.service_decorator import require_google_service
 from core.server import server

core/server.py

@@ -6,7 +6,6 @@ from importlib import metadata
 from fastapi import Header
 from fastapi.responses import HTMLResponse
 
-from mcp import types
 
 from mcp.server.fastmcp import FastMCP
 from starlette.requests import Request
@@ -18,41 +17,41 @@ from auth.oauth_responses import create_error_response, create_success_response,
 # Import shared configuration
 from auth.scopes import (
     OAUTH_STATE_TO_SESSION_ID_MAP,
-    USERINFO_EMAIL_SCOPE,
-    OPENID_SCOPE,
-    CALENDAR_READONLY_SCOPE,
-    CALENDAR_EVENTS_SCOPE,
-    DRIVE_READONLY_SCOPE,
-    DRIVE_FILE_SCOPE,
-    GMAIL_READONLY_SCOPE,
-    GMAIL_SEND_SCOPE,
-    GMAIL_COMPOSE_SCOPE,
-    GMAIL_MODIFY_SCOPE,
-    GMAIL_LABELS_SCOPE,
-    BASE_SCOPES,
-    CALENDAR_SCOPES,
-    DRIVE_SCOPES,
-    GMAIL_SCOPES,
-    DOCS_READONLY_SCOPE,
-    DOCS_WRITE_SCOPE,
-    CHAT_READONLY_SCOPE,
-    CHAT_WRITE_SCOPE,
-    CHAT_SPACES_SCOPE,
-    CHAT_SCOPES,
-    SHEETS_READONLY_SCOPE,
-    SHEETS_WRITE_SCOPE,
-    SHEETS_SCOPES,
-    FORMS_BODY_SCOPE,
-    FORMS_BODY_READONLY_SCOPE,
-    FORMS_RESPONSES_READONLY_SCOPE,
-    FORMS_SCOPES,
-    SLIDES_SCOPE,
-    SLIDES_READONLY_SCOPE,
-    SLIDES_SCOPES,
-    TASKS_SCOPE,
-    TASKS_READONLY_SCOPE,
-    TASKS_SCOPES,
-    SCOPES
+    SCOPES,
+    USERINFO_EMAIL_SCOPE,  # noqa: F401
+    OPENID_SCOPE,  # noqa: F401
+    CALENDAR_READONLY_SCOPE,  # noqa: F401
+    CALENDAR_EVENTS_SCOPE,  # noqa: F401
+    DRIVE_READONLY_SCOPE,  # noqa: F401
+    DRIVE_FILE_SCOPE,  # noqa: F401
+    GMAIL_READONLY_SCOPE,  # noqa: F401
+    GMAIL_SEND_SCOPE,  # noqa: F401
+    GMAIL_COMPOSE_SCOPE,  # noqa: F401
+    GMAIL_MODIFY_SCOPE,  # noqa: F401
+    GMAIL_LABELS_SCOPE,  # noqa: F401
+    BASE_SCOPES,  # noqa: F401
+    CALENDAR_SCOPES,  # noqa: F401
+    DRIVE_SCOPES,  # noqa: F401
+    GMAIL_SCOPES,  # noqa: F401
+    DOCS_READONLY_SCOPE,  # noqa: F401
+    DOCS_WRITE_SCOPE,  # noqa: F401
+    CHAT_READONLY_SCOPE,  # noqa: F401
+    CHAT_WRITE_SCOPE,  # noqa: F401
+    CHAT_SPACES_SCOPE,  # noqa: F401
+    CHAT_SCOPES,  # noqa: F401
+    SHEETS_READONLY_SCOPE,  # noqa: F401
+    SHEETS_WRITE_SCOPE,  # noqa: F401
+    SHEETS_SCOPES,  # noqa: F401
+    FORMS_BODY_SCOPE,  # noqa: F401
+    FORMS_BODY_READONLY_SCOPE,  # noqa: F401
+    FORMS_RESPONSES_READONLY_SCOPE,  # noqa: F401
+    FORMS_SCOPES,  # noqa: F401
+    SLIDES_SCOPE,  # noqa: F401
+    SLIDES_READONLY_SCOPE,  # noqa: F401
+    SLIDES_SCOPES,  # noqa: F401
+    TASKS_SCOPE,  # noqa: F401
+    TASKS_READONLY_SCOPE,  # noqa: F401
+    TASKS_SCOPES,  # noqa: F401
 )
 
 # Configure logging

core/utils.py

@@ -1,10 +1,9 @@
 import io
 import logging
 import os
-import tempfile
-import zipfile, xml.etree.ElementTree as ET
+import zipfile
+import xml.etree.ElementTree as ET
 import ssl
-import time
 import asyncio
 import functools
 
@@ -70,7 +69,7 @@ def check_credentials_directory_permissions(credentials_dir: str = None) -> None
                 try:
                     if os.path.exists(credentials_dir):
                         os.rmdir(credentials_dir)
-                except:
+                except (PermissionError, OSError):
                     pass
                 raise PermissionError(
                     f"Cannot create or write to credentials directory '{os.path.abspath(credentials_dir)}': {e}"

gcalendar/calendar_tools.py

@@ -10,7 +10,6 @@ import asyncio
 import re
 from typing import List, Optional, Dict, Any
 
-from mcp import types
 from googleapiclient.errors import HttpError
 from googleapiclient.discovery import build
 
@@ -300,7 +299,7 @@ async def create_event(
                             title = filename
                             logger.info(f"[create_event] Using filename '{filename}' as attachment title")
                         else:
-                            logger.info(f"[create_event] No filename found, using generic title")
+                            logger.info("[create_event] No filename found, using generic title")
                     except Exception as e:
                         logger.warning(f"Could not fetch metadata for file {file_id}: {e}")
                 event_body["attachments"].append({
@@ -397,7 +396,7 @@ async def modify_event(
         # might handle this more robustly or require start/end with timezone.
         # For now, we'll log a warning and skip applying timezone if start/end are missing.
         logger.warning(
-            f"[modify_event] Timezone provided but start_time and end_time are missing. Timezone will not be applied unless start/end times are also provided."
+            "[modify_event] Timezone provided but start_time and end_time are missing. Timezone will not be applied unless start/end times are also provided."
         )
 
     if not event_body:
@@ -416,7 +415,7 @@ async def modify_event(
             lambda: service.events().get(calendarId=calendar_id, eventId=event_id).execute()
         )
         logger.info(
-            f"[modify_event] Successfully verified event exists before update"
+            "[modify_event] Successfully verified event exists before update"
         )
     except HttpError as get_error:
         if get_error.resp.status == 404:
@@ -475,7 +474,7 @@ async def delete_event(service, user_google_email: str, event_id: str, calendar_
             lambda: service.events().get(calendarId=calendar_id, eventId=event_id).execute()
         )
         logger.info(
-            f"[delete_event] Successfully verified event exists before deletion"
+            "[delete_event] Successfully verified event exists before deletion"
         )
     except HttpError as get_error:
         if get_error.resp.status == 404:

gchat/chat_tools.py

@@ -7,7 +7,6 @@ import logging
 import asyncio
 from typing import Optional
 
-from mcp import types
 from googleapiclient.errors import HttpError
 
 # Auth & server utilities