Merge pull request #53 from dheerajoruganty/feature/latest-changes

FGAC For MCPGW's Intelligent tool finder

Author: aarora79

agents/agent.py

@@ -54,6 +54,8 @@
 import mcp
 from mcp import ClientSession
 from mcp.client.sse import sse_client
+import httpx
+import re
 
 # Import dotenv for loading environment variables
 try:
@@ -334,15 +336,22 @@ async def invoke_mcp_tool(mcp_registry_url: str, server_name: str, tool_name: st
     # Construct the MCP server URL from the registry URL and server name using standard URL parsing
     parsed_url = urlparse(mcp_registry_url)
 
-    # Extract the scheme and netloc (hostname:port) from the parsed URL
+    # Extract the scheme, netloc and path from the parsed URL
     scheme = parsed_url.scheme
     netloc = parsed_url.netloc
+    path = parsed_url.path
+    
+    # If the path ends with '/sse', remove it to get the base path
+    if path.endswith('/sse'):
+        base_path = path[:-4]  # Remove '/sse' from the end
+    else:
+        base_path = path
 
-    # Construct the base URL with scheme and netloc
-    base_url = f"{scheme}://{netloc}"
+    # Construct the base URL with scheme, netloc and base path
+    base_url = f"{scheme}://{netloc}{base_path}"
 
     # Create the server URL by joining the base URL with the server name and sse path
-    server_url = urljoin(base_url, f"{server_name}/sse")
+    server_url = urljoin(base_url + '/', f"{server_name}/sse")
     print(f"Server URL: {server_url}")
 
     # Prepare headers based on authentication method
@@ -399,6 +408,60 @@ def redact_sensitive_value(value: str, show_chars: int = 4) -> str:
         return "*" * len(value) if value else ""
     return value[:show_chars] + "*" * (len(value) - show_chars)
 
+def normalize_sse_endpoint_url_for_request(url_str: str, original_sse_url: str) -> str:
+    """
+    Normalize URLs in HTTP requests by preserving mount paths for non-mounted servers.
+    
+    This function only applies fixes when the request is for the same server as the original SSE URL.
+    It should NOT modify requests to different servers (like currenttime, fininfo, etc.)
+    
+    Example: 
+    - Original SSE: http://localhost/mcpgw2/sse
+    - Request to same server: http://localhost/messages/?session_id=123 -> http://localhost/mcpgw2/messages/?session_id=123
+    - Request to different server: http://localhost/currenttime/messages/?session_id=123 -> unchanged (already correct)
+    """
+    if '/messages/' not in url_str:
+        return url_str
+    
+    # Parse the original SSE URL to extract the base path
+    from urllib.parse import urlparse
+    parsed_original = urlparse(original_sse_url)
+    parsed_current = urlparse(url_str)
+    
+    # Only apply fixes if this is the same host/port as the original SSE URL
+    if parsed_current.netloc != parsed_original.netloc:
+        return url_str
+    
+    original_path = parsed_original.path
+    
+    # Remove /sse from the original path to get the base mount path
+    if original_path.endswith('/sse'):
+        base_mount_path = original_path[:-4]  # Remove '/sse'
+    else:
+        base_mount_path = original_path
+    
+    # Only apply the fix if:
+    # 1. There is a base mount path (non-empty)
+    # 2. The current path is exactly /messages/... (indicating it's missing the mount path)
+    # 3. The current path doesn't already contain a mount path
+    if (base_mount_path and 
+        parsed_current.path.startswith('/messages/') and
+        not parsed_current.path.startswith(base_mount_path)):
+        
+        # The mount path is missing, we need to add it back
+        # Reconstruct the URL with the mount path
+        new_path = base_mount_path + parsed_current.path
+        fixed_url = f"{parsed_current.scheme}://{parsed_current.netloc}{new_path}"
+        if parsed_current.query:
+            fixed_url += f"?{parsed_current.query}"
+        if parsed_current.fragment:
+            fixed_url += f"#{parsed_current.fragment}"
+        
+        logger.debug(f"Fixed mount path in request URL: {url_str} -> {fixed_url}")
+        return fixed_url
+    
+    return url_str
+
 def load_system_prompt():
     """
     Load the system prompt template from the system_prompt.txt file.
@@ -593,89 +656,117 @@ async def main():
                 redacted_headers[k] = v
         logger.info(f"Using authentication headers: {redacted_headers}")
 
-        # Initialize MCP client with the server configuration and authentication headers
-        client = MultiServerMCPClient(
-            {
-                "mcp_registry": {
-                    "url": server_url,
-                    "transport": "sse",
-                    "headers": auth_headers
-                }
-            }
-        )
-        logger.info("Connected to MCP server successfully with authentication")
-
-        # Get available tools from MCP and display them
-        mcp_tools = await client.get_tools()
-        logger.info(f"Available MCP tools: {[tool.name for tool in mcp_tools]}")
-        
-        # Add the calculator and invoke_mcp_tool to the tools array
-        # The invoke_mcp_tool function already supports authentication parameters
-        all_tools = [calculator, invoke_mcp_tool] + mcp_tools
-        logger.info(f"All available tools: {[tool.name if hasattr(tool, 'name') else tool.__name__ for tool in all_tools]}")
+        # Apply monkey patch to fix mount path issues in httpx requests
+        # This fixes the issue where non-mounted servers with default paths lose their mount path
+        # in POST requests to /messages/ endpoints
+        original_request = httpx.AsyncClient.request
 
-        # Create the agent with the model and all tools
-        agent = create_react_agent(
-            model,
-            all_tools
-        )
+        async def patched_request(self, method, url, **kwargs):
+            # Fix mount path issues in requests
+            if isinstance(url, str) and '/messages/' in url:
+                url = normalize_sse_endpoint_url_for_request(url, server_url)
+            elif hasattr(url, '__str__') and '/messages/' in str(url):
+                url = normalize_sse_endpoint_url_for_request(str(url), server_url)
+            return await original_request(self, method, url, **kwargs)
 
-        # Load and format the system prompt with the current time and MCP registry URL
-        system_prompt_template = load_system_prompt()
+        # Apply the patch
+        httpx.AsyncClient.request = patched_request
+        logger.info("Applied httpx monkey patch to fix mount path issues")
 
-        # Prepare authentication parameters for system prompt
-        if args.use_session_cookie:
-            system_prompt = system_prompt_template.format(
-                current_utc_time=current_utc_time,
-                mcp_registry_url=args.mcp_registry_url,
-                auth_token='',  # Not used for session cookie auth
-                user_pool_id=args.user_pool_id or '',
-                client_id=args.client_id or '',
-                region=args.region or 'us-east-1',
-                auth_method=auth_method,
-                session_cookie=session_cookie
+        try:
+            # Initialize MCP client with the server configuration and authentication headers
+            client = MultiServerMCPClient(
+                {
+                    "mcp_registry": {
+                        "url": server_url,
+                        "transport": "sse",
+                        "headers": auth_headers
+                    }
+                }
             )
-        else:
-            system_prompt = system_prompt_template.format(
-                current_utc_time=current_utc_time,
-                mcp_registry_url=args.mcp_registry_url,
-                auth_token=access_token,
-                user_pool_id=args.user_pool_id,
-                client_id=args.client_id,
-                region=args.region,
-                auth_method=auth_method,
-                session_cookie=''  # Not used for M2M auth
+            logger.info("Connected to MCP server successfully with authentication, server_url: " + server_url)
+
+            # Get available tools from MCP and display them
+            mcp_tools = await client.get_tools()
+            logger.info(f"Available MCP tools: {[tool.name for tool in mcp_tools]}")
+            
+            # Add the calculator and invoke_mcp_tool to the tools array
+            # The invoke_mcp_tool function already supports authentication parameters
+            all_tools = [calculator, invoke_mcp_tool] + mcp_tools
+            logger.info(f"All available tools: {[tool.name if hasattr(tool, 'name') else tool.__name__ for tool in all_tools]}")
+            
+            # Create the agent with the model and all tools
+            agent = create_react_agent(
+                model,
+                all_tools
             )
-        
-        # Format the message with system message first
-        formatted_messages = [
-            {"role": "system", "content": system_prompt},
-            {"role": "user", "content": args.message}
-        ]
-        
-        logger.info("\nInvoking agent...\n" + "-"*40)
-        
-        # Invoke the agent with the formatted messages
-        response = await agent.ainvoke({"messages": formatted_messages})
-        
-        logger.info("\nResponse:" + "\n" + "-"*40)
-        #print(response)
-        print_agent_response(response)
-        
-        # Process and display the response
-        if response and "messages" in response and response["messages"]:
-            # Get the last message from the response
-            last_message = response["messages"][-1]
 
-            if isinstance(last_message, dict) and "content" in last_message:
-                # Display the content of the response
-                print(last_message["content"])
+            # Load and format the system prompt with the current time and MCP registry URL
+            system_prompt_template = load_system_prompt()
+            
+            # Prepare authentication parameters for system prompt
+            if args.use_session_cookie:
+                system_prompt = system_prompt_template.format(
+                    current_utc_time=current_utc_time,
+                    mcp_registry_url=args.mcp_registry_url,
+                    auth_token='',  # Not used for session cookie auth
+                    user_pool_id=args.user_pool_id or '',
+                    client_id=args.client_id or '',
+                    region=args.region or 'us-east-1',
+                    auth_method=auth_method,
+                    session_cookie=session_cookie
+                )
             else:
-                print(str(last_message.content))
-        else:
-            print("No valid response received")
+                system_prompt = system_prompt_template.format(
+                    current_utc_time=current_utc_time,
+                    mcp_registry_url=args.mcp_registry_url,
+                    auth_token=access_token,
+                    user_pool_id=args.user_pool_id,
+                    client_id=args.client_id,
+                    region=args.region,
+                    auth_method=auth_method,
+                    session_cookie=''  # Not used for M2M auth
+                )
+            
+            # Format the message with system message first
+            formatted_messages = [
+                {"role": "system", "content": system_prompt},
+                {"role": "user", "content": args.message}
+            ]
+            
+            logger.info("\nInvoking agent...\n" + "-"*40)
+            
+            # Invoke the agent with the formatted messages
+            response = await agent.ainvoke({"messages": formatted_messages})
+            
+            logger.info("\nResponse:" + "\n" + "-"*40)
+            #print(response)
+            print_agent_response(response)
+            
+            # Process and display the response
+            if response and "messages" in response and response["messages"]:
+                # Get the last message from the response
+                last_message = response["messages"][-1]
+                
+                if isinstance(last_message, dict) and "content" in last_message:
+                    # Display the content of the response
+                    print(last_message["content"])
+                else:
+                    print(str(last_message.content))
+            else:
+                print("No valid response received")
+                
+        finally:
+            # Restore original httpx behavior
+            httpx.AsyncClient.request = original_request
+            logger.info("Restored original httpx behavior")
 
     except Exception as e:
+        # Restore original httpx behavior in case of error
+        try:
+            httpx.AsyncClient.request = original_request
+        except NameError:
+            pass  # original_request might not be defined if error occurred before monkey patch
         print(f"Error: {str(e)}")
         import traceback
         print(traceback.format_exc())

auth_server/server.py

@@ -725,7 +725,7 @@ async def validate_request(request: Request):
 
         # Validate scope-based access if we have server/tool information
         user_scopes = validation_result.get('scopes', [])
-        if request_payload and server_name and tool_name and user_scopes:
+        if request_payload and server_name and tool_name:
             # Extract method and actual tool name
             method = tool_name  # The extracted tool_name is actually the method
             actual_tool_name = None
@@ -737,6 +737,15 @@ async def validate_request(request: Request):
                     actual_tool_name = params.get('name')
                     logger.info(f"Extracted actual tool name for tools/call: '{actual_tool_name}'")
 
+            # Check if user has any scopes - if not, deny access (fail closed)
+            if not user_scopes:
+                logger.warning(f"Access denied for user {validation_result.get('username')} to {server_name}.{method} (tool: {actual_tool_name}) - no scopes configured")
+                raise HTTPException(
+                    status_code=403,
+                    detail=f"Access denied to {server_name}.{method} - user has no scopes configured",
+                    headers={"Connection": "close"}
+                )
+            
             if not validate_server_tool_access(server_name, method, actual_tool_name, user_scopes):
                 logger.warning(f"Access denied for user {validation_result.get('username')} to {server_name}.{method} (tool: {actual_tool_name})")
                 raise HTTPException(

docker-compose.yml

@@ -27,6 +27,7 @@ services:
       - /opt/mcp-gateway/models:/app/registry/models
       - /home/ubuntu/ssl_data:/etc/ssl
       - /var/log/mcp-gateway:/app/logs
+      - /opt/mcp-gateway/auth_server/scopes.yml:/app/auth_server/scopes.yml
     depends_on:
       - auth-server
     restart: unless-stopped
@@ -49,6 +50,7 @@ services:
       - "8888:8888"
     volumes:
       - /var/log/mcp-gateway:/app/logs
+      - /opt/mcp-gateway/auth_server/scopes.yml:/app/auth_server/scopes.yml
     restart: unless-stopped
 
   # Current Time MCP Server
@@ -93,6 +95,7 @@ services:
     volumes:
       - /opt/mcp-gateway/servers:/app/registry/servers
       - /opt/mcp-gateway/models:/app/registry/models
+      - /opt/mcp-gateway/auth_server/scopes.yml:/app/auth_server/scopes.yml
     ports:
       - "8003:8003"
     depends_on:

registry/api/server_routes.py

@@ -65,6 +65,9 @@ def can_perform_action(permission: str, service_name: str) -> bool:
 
     # Filter services based on UI permissions
     accessible_services = user_context.get('accessible_services', [])
+    logger.info(f"DEBUG: User {user_context['username']} accessible_services: {accessible_services}")
+    logger.info(f"DEBUG: User {user_context['username']} ui_permissions: {user_context.get('ui_permissions', {})}")
+    logger.info(f"DEBUG: User {user_context['username']} scopes: {user_context.get('scopes', [])}")
 
     for path in sorted_server_paths:
         server_info = all_servers[path]

registry/core/nginx_service.py

@@ -118,6 +118,15 @@ async def generate_config_async(self, servers: Dict[str, Dict[str, Any]]) -> boo
         # Authenticate request - pass entire request to auth server
         auth_request /validate;
         
+        # Capture auth server response headers for forwarding
+        auth_request_set $auth_user $upstream_http_x_user;
+        auth_request_set $auth_username $upstream_http_x_username;
+        auth_request_set $auth_client_id $upstream_http_x_client_id;
+        auth_request_set $auth_scopes $upstream_http_x_scopes;
+        auth_request_set $auth_method $upstream_http_x_auth_method;
+        auth_request_set $auth_server_name $upstream_http_x_server_name;
+        auth_request_set $auth_tool_name $upstream_http_x_tool_name;
+        
         # Proxy to MCP server
         proxy_pass {proxy_pass_url};
         proxy_http_version 1.1;
@@ -135,6 +144,15 @@ async def generate_config_async(self, servers: Dict[str, Dict[str, Any]]) -> boo
         proxy_set_header X-Client-Id $http_x_client_id;
         proxy_set_header X-Region $http_x_region;
         
+        # Forward auth server response headers to backend
+        proxy_set_header X-User $auth_user;
+        proxy_set_header X-Username $auth_username;
+        proxy_set_header X-Client-Id-Auth $auth_client_id;
+        proxy_set_header X-Scopes $auth_scopes;
+        proxy_set_header X-Auth-Method $auth_method;
+        proxy_set_header X-Server-Name $auth_server_name;
+        proxy_set_header X-Tool-Name $auth_tool_name;
+        
         # For SSE connections and WebSocket upgrades
         proxy_buffering off;
         proxy_cache off;

servers/mcpgw/pyproject.toml

@@ -5,7 +5,7 @@ description = "MCP server to interact with the MCP Gateway Registry API" # Updat
 readme = "README.md"
 requires-python = ">=3.12,<3.13"
 dependencies = [
-   "mcp>=1.9.3",
+   "fastmcp>=2.0.0",  # Updated to FastMCP 2.0
    "pydantic>=2.11.3",
    "httpx>=0.27.0", # Added httpx
    "python-dotenv>=1.0.0", # Added dotenv as it's used in server.py