Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Added MCPProxy role to CertificateRole enum. Enhanced certificate role validation with allow_roles and deny_roles parameters at all validation levels. All tests now use real certificates instead of mocks. Comprehensive test coverage with 1004+ tests. Requires cryptography>=42.0.0 for certificate operations.
Project description
MCP Security Framework
Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting.
Features
- 🔐 Multi-method Authentication: API keys, JWT tokens, X.509 certificates
- 🛡️ SSL/TLS Management: Server and client certificate handling
- 🔑 Role-based Authorization: Flexible permission system with role hierarchy
- ⚡ Rate Limiting: Configurable request rate limiting
- 🚀 Framework Agnostic: Works with FastAPI, Flask, Django, and standalone
- 🛠️ CLI Tools: Certificate management and security testing
- 📊 Comprehensive Logging: Security event logging and monitoring
Quick Start
Installation
# Basic installation
pip install mcp-security-framework
# With framework support
pip install mcp-security-framework[fastapi]
pip install mcp-security-framework[flask]
pip install mcp-security-framework[django]
# Development installation
pip install mcp-security-framework[dev]
Basic Usage
from mcp_security_framework import SecurityManager, SecurityConfig
from mcp_security_framework.schemas.config import AuthConfig, PermissionConfig
# Create configuration
config = SecurityConfig(
auth=AuthConfig(
enabled=True,
methods=["api_key"],
api_keys={"admin": "admin_key_123"}
),
permissions=PermissionConfig(roles_file="roles.json")
)
# Create security manager
security_manager = SecurityManager(config)
# Validate request
result = security_manager.validate_request({
"api_key": "admin_key_123",
"required_permissions": ["read", "write"]
})
if result.is_valid:
print("Access granted!")
else:
print(f"Access denied: {result.error_message}")
FastAPI Integration
from fastapi import FastAPI
from mcp_security_framework import create_fastapi_security_middleware, SecurityConfig
# Configuration
config = SecurityConfig(
auth=AuthConfig(
enabled=True,
methods=["api_key", "jwt"],
api_keys={"user": "user_key_456"}
),
permissions=PermissionConfig(roles_file="roles.json")
)
# Create FastAPI app
app = FastAPI()
# Add security middleware
security_middleware = create_fastapi_security_middleware(config)
app.add_middleware(security_middleware)
@app.get("/secure")
async def secure_endpoint():
return {"message": "Access granted"}
@app.get("/public")
async def public_endpoint():
return {"message": "Public access"}
Flask Integration
from flask import Flask
from mcp_security_framework import create_flask_security_middleware, SecurityConfig
# Configuration
config = SecurityConfig(
auth=AuthConfig(
enabled=True,
methods=["api_key"]
),
permissions=PermissionConfig(roles_file="roles.json")
)
# Create Flask app
app = Flask(__name__)
# Add security middleware
security_middleware = create_flask_security_middleware(config)
app.wsgi_app = security_middleware(app.wsgi_app)
@app.route("/secure")
def secure_endpoint():
return {"message": "Access granted"}
CLI Tools
Certificate Management
# Create root CA
mcp-cert create-ca --ca-name "My Root CA" --output-dir ./certs
# Create client certificate
mcp-cert create-client-cert --name "client1" --roles "user,admin" --permissions "read,write"
# Create server certificate
mcp-cert create-server-cert --name "api-server" --domains "api.example.com"
Security Testing
# Validate configuration
mcp-security validate-config --config-file security_config.json
# Test authentication
mcp-security test-auth --config-file security_config.json --api-key "test_key"
Configuration
Basic Configuration File
{
"ssl": {
"enabled": true,
"cert_file": "server.crt",
"key_file": "server.key",
"ca_cert_file": "ca.crt",
"verify_mode": "CERT_REQUIRED",
"min_version": "TLSv1.2"
},
"auth": {
"enabled": true,
"methods": ["api_key", "jwt", "certificate"],
"api_keys": {
"admin": "admin_key_123",
"user": "user_key_456"
},
"jwt_secret": "your_jwt_secret_key",
"jwt_expiry_hours": 24,
"public_paths": ["/docs", "/health"]
},
"certificates": {
"ca_dir": "./certs",
"roles_oid": "1.3.6.1.4.1.99999.1.1",
"permissions_oid": "1.3.6.1.4.1.99999.1.2",
"verify_certificates": true,
"check_revocation": true
},
"permissions": {
"roles_file": "roles.json",
"deny_by_default": true,
"case_sensitive": false,
"allow_wildcard": true
},
"rate_limit": {
"enabled": true,
"rate_limit": 100,
"time_window": 60,
"by_ip": true,
"by_user": true
}
}
Roles and Permissions
{
"roles": {
"admin": {
"name": "admin",
"description": "Administrator role",
"permissions": ["read", "write", "delete", "admin"],
"priority": 100
},
"user": {
"name": "user",
"description": "Regular user role",
"permissions": ["read", "write"],
"priority": 50
},
"guest": {
"name": "guest",
"description": "Guest role",
"permissions": ["read"],
"priority": 10
}
},
"role_hierarchy": {
"roles": {
"admin": ["user"],
"user": ["guest"]
}
},
"default_policy": {
"deny_by_default": true,
"require_role_match": true,
"case_sensitive": false,
"allow_wildcard": true
}
}
Documentation
Development
Setup Development Environment
# Clone repository
git clone https://github.com/mcp-security/mcp-security-framework.git
cd mcp-security-framework
# Create virtual environment
python -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# Install development dependencies
pip install -e ".[dev]"
# Install pre-commit hooks
pre-commit install
Running Tests
# Run all tests
pytest
# Run with coverage
pytest --cov=mcp_security_framework --cov-report=html
# Run specific test categories
pytest -m unit
pytest -m integration
pytest -m "not slow"
Code Quality
# Format code
black src tests
isort src tests
# Lint code
flake8 src tests
mypy src
# Run all quality checks
tox
Building Documentation
# Install documentation dependencies
pip install -e ".[docs]"
# Build documentation
sphinx-build -b html docs docs/_build/html
Contributing
We welcome contributions! Please see our Contributing Guide for details.
Development Workflow
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes
- Add tests for new functionality
- Ensure all tests pass (
pytest) - Format and lint your code (
black,isort,flake8,mypy) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Security
If you discover a security vulnerability, please report it to us at security@mcp.example.com.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
Changelog
See CHANGELOG.md for a list of changes and version history.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
mcp_security_framework-1.3.0.tar.gz
(252.1 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_security_framework-1.3.0.tar.gz.
File metadata
- Download URL: mcp_security_framework-1.3.0.tar.gz
- Upload date:
- Size: 252.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
93d05fac06ffe0c7faef236f98aa9c682f242e4475239d41a52158d9dc63b330
|
|
| MD5 |
ccffdc9ce89a5f3662b358c5720787fd
|
|
| BLAKE2b-256 |
b00d4657533637a53a12460a4b428792d1dc9b2ce4797dcb7e1f7bdaa0bbcc80
|
File details
Details for the file mcp_security_framework-1.3.0-py3-none-any.whl.
File metadata
- Download URL: mcp_security_framework-1.3.0-py3-none-any.whl
- Upload date:
- Size: 314.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d0343e659ddab6988c312826ee64e33235c6649cda2dd829d2d335fbf421f7ff
|
|
| MD5 |
dff11d0b9df5974002b054409d67a8bb
|
|
| BLAKE2b-256 |
88528f621b8b2dbdf7b18f7ecf1e63dc37a2746d7b561eb40d667b852b2f8fd2
|
