Merge pull request #189 from cyberkaida/remote-mcp

Add API Key. Add config for server host.

Author: cyberkaida

src/main/java/reva/plugin/ConfigManager.java

@@ -18,6 +18,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
 
 import ghidra.framework.options.Options;
@@ -39,14 +40,20 @@ public class ConfigManager implements OptionsChangeListener {
 
     // Option names
     public static final String SERVER_PORT = "Server Port";
+    public static final String SERVER_HOST = "Server Host";
     public static final String SERVER_ENABLED = "Server Enabled";
+    public static final String API_KEY_ENABLED = "API Key Authentication Enabled";
+    public static final String API_KEY = "API Key";
     public static final String DEBUG_MODE = "Debug Mode";
     public static final String MAX_DECOMPILER_SEARCH_FUNCTIONS = "Max Decompiler Search Functions";
     public static final String DECOMPILER_TIMEOUT_SECONDS = "Decompiler Timeout Seconds";
 
     // Default values
     private static final int DEFAULT_PORT = 8080;
+    private static final String DEFAULT_HOST = "127.0.0.1";
     private static final boolean DEFAULT_SERVER_ENABLED = true;
+    private static final boolean DEFAULT_API_KEY_ENABLED = false;
+    private static final String DEFAULT_API_KEY = "";
     private static final boolean DEFAULT_DEBUG_MODE = false;
     private static final int DEFAULT_MAX_DECOMPILER_SEARCH_FUNCTIONS = 1000;
     private static final int DEFAULT_DECOMPILER_TIMEOUT_SECONDS = 10;
@@ -79,11 +86,27 @@ public ConfigManager(PluginTool tool) {
      */
     private void registerOptionsWithGhidra() {
         HelpLocation help = new HelpLocation("ReVa", "Configuration");
-        
+
         toolOptions.registerOption(SERVER_PORT, DEFAULT_PORT, help,
             "Port number for the ReVa MCP server");
+        toolOptions.registerOption(SERVER_HOST, DEFAULT_HOST, help,
+            "Host interface for the ReVa MCP server (127.0.0.1 for localhost only, 0.0.0.0 for all interfaces)");
         toolOptions.registerOption(SERVER_ENABLED, DEFAULT_SERVER_ENABLED, help,
             "Whether the ReVa MCP server is enabled");
+        toolOptions.registerOption(API_KEY_ENABLED, DEFAULT_API_KEY_ENABLED, help,
+            "Whether API key authentication is required for MCP server access");
+
+        // Only generate a new API key if one does not already exist
+        String existingApiKey = toolOptions.getString(API_KEY, null);
+        boolean isApiKeyMissing = (existingApiKey == null || existingApiKey.isEmpty());
+        String apiKeyToRegister = isApiKeyMissing ? generateDefaultApiKey() : existingApiKey;
+        toolOptions.registerOption(API_KEY, apiKeyToRegister, help,
+            "API key required for MCP server access when authentication is enabled");
+
+        // Ensure the generated key is actually set in the options
+        if (isApiKeyMissing) {
+            toolOptions.setString(API_KEY, apiKeyToRegister);
+        }
         toolOptions.registerOption(DEBUG_MODE, DEFAULT_DEBUG_MODE, help,
             "Whether debug mode is enabled");
         toolOptions.registerOption(MAX_DECOMPILER_SEARCH_FUNCTIONS, DEFAULT_MAX_DECOMPILER_SEARCH_FUNCTIONS, help,
@@ -98,7 +121,14 @@ private void registerOptionsWithGhidra() {
     protected void loadOptions() {
         // Cache the options
         cachedOptions.put(SERVER_PORT, toolOptions.getInt(SERVER_PORT, DEFAULT_PORT));
+        cachedOptions.put(SERVER_HOST, toolOptions.getString(SERVER_HOST, DEFAULT_HOST));
         cachedOptions.put(SERVER_ENABLED, toolOptions.getBoolean(SERVER_ENABLED, DEFAULT_SERVER_ENABLED));
+        cachedOptions.put(API_KEY_ENABLED, toolOptions.getBoolean(API_KEY_ENABLED, DEFAULT_API_KEY_ENABLED));
+
+        // Get the actual API key that was registered (could be generated or existing)
+        String apiKey = toolOptions.getString(API_KEY, DEFAULT_API_KEY);
+        cachedOptions.put(API_KEY, apiKey);
+
         cachedOptions.put(DEBUG_MODE, toolOptions.getBoolean(DEBUG_MODE, DEFAULT_DEBUG_MODE));
         cachedOptions.put(MAX_DECOMPILER_SEARCH_FUNCTIONS,
             toolOptions.getInt(MAX_DECOMPILER_SEARCH_FUNCTIONS, DEFAULT_MAX_DECOMPILER_SEARCH_FUNCTIONS));
@@ -179,6 +209,23 @@ public void setServerPort(int port) {
         // optionsChanged() will be called automatically
     }
 
+    /**
+     * Get the server host
+     * @return The configured server host
+     */
+    public String getServerHost() {
+        return (String) cachedOptions.getOrDefault(SERVER_HOST, DEFAULT_HOST);
+    }
+
+    /**
+     * Set the server host
+     * @param host The host interface to bind to
+     */
+    public void setServerHost(String host) {
+        toolOptions.setString(SERVER_HOST, host);
+        // optionsChanged() will be called automatically
+    }
+
     /**
      * Check if the server is enabled
      * @return True if the server is enabled
@@ -196,6 +243,40 @@ public void setServerEnabled(boolean enabled) {
         // optionsChanged() will be called automatically
     }
 
+    /**
+     * Check if API key authentication is enabled
+     * @return True if API key authentication is enabled
+     */
+    public boolean isApiKeyEnabled() {
+        return (Boolean) cachedOptions.getOrDefault(API_KEY_ENABLED, DEFAULT_API_KEY_ENABLED);
+    }
+
+    /**
+     * Set whether API key authentication is enabled
+     * @param enabled True to enable API key authentication
+     */
+    public void setApiKeyEnabled(boolean enabled) {
+        toolOptions.setBoolean(API_KEY_ENABLED, enabled);
+        // optionsChanged() will be called automatically
+    }
+
+    /**
+     * Get the API key
+     * @return The configured API key
+     */
+    public String getApiKey() {
+        return (String) cachedOptions.getOrDefault(API_KEY, DEFAULT_API_KEY);
+    }
+
+    /**
+     * Set the API key
+     * @param apiKey The API key to use
+     */
+    public void setApiKey(String apiKey) {
+        toolOptions.setString(API_KEY, apiKey);
+        // optionsChanged() will be called automatically
+    }
+
     /**
      * Check if debug mode is enabled
      * @return True if debug mode is enabled
@@ -247,6 +328,14 @@ public void setDecompilerTimeoutSeconds(int timeoutSeconds) {
         // optionsChanged() will be called automatically
     }
 
+    /**
+     * Generate a default API key with ReVa-UUID format
+     * @return A new API key in the format "ReVa-{uuid}"
+     */
+    private String generateDefaultApiKey() {
+        return "ReVa-" + UUID.randomUUID().toString();
+    }
+
     /**
      * Clean up when the plugin is disposed
      */

src/main/java/reva/server/ApiKeyAuthFilter.java

@@ -0,0 +1,155 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package reva.server;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import ghidra.util.Msg;
+
+import reva.plugin.ConfigManager;
+
+/**
+ * Authentication filter for API key-based access control to the MCP server.
+ * Checks for the X-API-Key header when authentication is enabled in configuration.
+ */
+public class ApiKeyAuthFilter implements Filter {
+    private static final String API_KEY_HEADER = "X-API-Key";
+    private static final ObjectMapper JSON_MAPPER = new ObjectMapper();
+
+    private final ConfigManager configManager;
+
+    /**
+     * Constructor
+     * @param configManager The configuration manager to get API key settings from
+     */
+    public ApiKeyAuthFilter(ConfigManager configManager) {
+        this.configManager = configManager;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // No initialization needed
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+
+        // Only process HTTP requests
+        if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+        // Check if API key authentication is enabled
+        if (!configManager.isApiKeyEnabled()) {
+            // Authentication disabled - allow all requests
+            chain.doFilter(request, response);
+            return;
+        }
+
+        // Get the API key from the request header
+        String providedApiKey = httpRequest.getHeader(API_KEY_HEADER);
+        String configuredApiKey = configManager.getApiKey();
+
+        // Validate API key
+        if (providedApiKey == null || providedApiKey.trim().isEmpty()) {
+            Msg.warn(this, "API key authentication failed: missing X-API-Key header from " +
+                     getClientInfo(httpRequest));
+            sendUnauthorizedResponse(httpResponse, "Missing X-API-Key header");
+            return;
+        }
+
+        if (configuredApiKey == null || configuredApiKey.trim().isEmpty()) {
+            Msg.error(this, "API key authentication failed: no API key configured in settings");
+            sendUnauthorizedResponse(httpResponse, "Server configuration error");
+            return;
+        }
+
+        if (!providedApiKey.equals(configuredApiKey)) {
+            Msg.warn(this, "API key authentication failed: invalid API key from " +
+                     getClientInfo(httpRequest));
+            sendUnauthorizedResponse(httpResponse, "Invalid API key");
+            return;
+        }
+
+        // API key is valid - allow the request to continue
+        Msg.debug(this, "API key authentication successful for " + getClientInfo(httpRequest));
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    public void destroy() {
+        // No cleanup needed
+    }
+
+    /**
+     * Send an HTTP 401 Unauthorized response
+     * @param response The HTTP response to modify
+     * @param message The error message to include
+     * @throws IOException If writing the response fails
+     */
+    private void sendUnauthorizedResponse(HttpServletResponse response, String message) throws IOException {
+        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        response.setContentType("application/json");
+
+        // Use Jackson to properly serialize JSON and prevent injection
+        Map<String, String> errorResponse = new HashMap<>();
+        errorResponse.put("error", "Unauthorized");
+        errorResponse.put("message", message);
+
+        response.getWriter().write(JSON_MAPPER.writeValueAsString(errorResponse));
+    }
+
+    /**
+     * Get client information for logging
+     * @param request The HTTP request
+     * @return A string with client IP and user agent
+     */
+    private String getClientInfo(HttpServletRequest request) {
+        String clientIP = null;
+        String xForwardedFor = request.getHeader("X-Forwarded-For");
+        if (xForwardedFor != null && !xForwardedFor.isEmpty()) {
+            // X-Forwarded-For can contain multiple IPs, the first is the original client
+            clientIP = xForwardedFor.split(",")[0].trim();
+        } else {
+            String xRealIp = request.getHeader("X-Real-IP");
+            if (xRealIp != null && !xRealIp.isEmpty()) {
+                clientIP = xRealIp;
+            } else {
+                clientIP = request.getRemoteAddr();
+            }
+        }
+        String userAgent = request.getHeader("User-Agent");
+        return clientIP + (userAgent != null ? " (" + userAgent + ")" : "");
+    }
+}

src/main/java/reva/server/McpServerManager.java

@@ -22,9 +22,14 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.servlet.FilterHolder;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 
+import java.util.EnumSet;
+import jakarta.servlet.DispatcherType;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 import generic.concurrent.GThreadPool;
@@ -184,16 +189,30 @@ public void startServer() {
         }
 
         int serverPort = configManager.getServerPort();
-        String baseUrl = "http://localhost:" + serverPort;
+        String serverHost = configManager.getServerHost();
+        String baseUrl = "http://" + serverHost + ":" + serverPort;
         Msg.info(this, "Starting MCP server on " + baseUrl);
 
         ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.SESSIONS);
         servletContextHandler.setContextPath("/");
+
+        // Add API key authentication filter if enabled
+        if (configManager.isApiKeyEnabled()) {
+            FilterHolder filterHolder = new FilterHolder(new ApiKeyAuthFilter(configManager));
+            servletContextHandler.addFilter(filterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));
+            Msg.info(this, "API key authentication enabled for MCP server");
+        }
+
         ServletHolder servletHolder = new ServletHolder(currentTransportProvider);
         servletHolder.setAsyncSupported(true);
         servletContextHandler.addServlet(servletHolder, "/*");
 
-        httpServer = new Server(serverPort);
+        // Create server with specific host binding for security
+        httpServer = new Server();
+        ServerConnector connector = new ServerConnector(httpServer);
+        connector.setHost(serverHost);
+        connector.setPort(serverPort);
+        httpServer.addConnector(connector);
         httpServer.setHandler(servletContextHandler);
 
         threadPool.submit(() -> {
@@ -375,12 +394,13 @@ public void restartServer() {
     }
 
     /**
-     * Recreate the transport provider with updated port configuration.
-     * This is necessary when the port changes during server restart.
+     * Recreate the transport provider with updated configuration.
+     * This is necessary when configuration changes during server restart.
      */
     private void recreateTransportProvider() {
         int serverPort = configManager.getServerPort();
-        String baseUrl = "http://localhost:" + serverPort;
+        String serverHost = configManager.getServerHost();
+        String baseUrl = "http://" + serverHost + ":" + serverPort;
 
         // Create new transport provider with updated configuration
         currentTransportProvider = HttpServletStreamableServerTransportProvider.builder()
@@ -420,9 +440,18 @@ public void onConfigChanged(String category, String name, Object oldValue, Objec
             if (ConfigManager.SERVER_PORT.equals(name)) {
                 Msg.info(this, "Server port changed from " + oldValue + " to " + newValue + ". Restarting server...");
                 restartServer();
+            } else if (ConfigManager.SERVER_HOST.equals(name)) {
+                Msg.info(this, "Server host changed from " + oldValue + " to " + newValue + ". Restarting server...");
+                restartServer();
             } else if (ConfigManager.SERVER_ENABLED.equals(name)) {
                 Msg.info(this, "Server enabled setting changed from " + oldValue + " to " + newValue + ". Restarting server...");
                 restartServer();
+            } else if (ConfigManager.API_KEY_ENABLED.equals(name)) {
+                Msg.info(this, "API key authentication setting changed from " + oldValue + " to " + newValue + ". Restarting server...");
+                restartServer();
+            } else if (ConfigManager.API_KEY.equals(name)) {
+                Msg.info(this, "API key changed. Restarting server...");
+                restartServer();
             }
         }
     }