containerized approach

Author: Nisha Saini

.containerignore

@@ -0,0 +1,4 @@
+.env
+.venv
+__pycache__
+*.pyc

.gitignore

@@ -0,0 +1,2 @@
+.env
+.vscode

Containerfile

@@ -1,20 +1,14 @@
-FROM registry.redhat.io/ubi9/python-311
+FROM python:3.11-slim
 
-# Set working directory
+# Set work directory
 WORKDIR /app
 
-# Copy requirements first for better caching
-COPY requirements.txt .
-
-# Install Python dependencies
+# Install dependencies
+COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
-# Copy server code
-COPY gitlab_mcp_server.py .
-
-# Set environment variables
-ENV MCP_TRANSPORT=stdio
-ENV PYTHONPATH=/app
+# Copy source code (uses .containerignore)
+COPY . .
 
-# Run the MCP server
-CMD ["python", "gitlab_mcp_server.py"]
+# Entrypoint
+CMD ["python", "gitlab_mcp_server.py"] 

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Red Hat, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,40 @@
+
+_default: run
+
+SHELL := /bin/bash
+SCRIPT_DIR := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
+IMG := localhost/gitlab-mcp:latest
+ENV_FILE := $(HOME)/.rh-gitlab-mcp.env
+
+.PHONY: build run clean test cursor-config setup
+
+build:
+	@echo "🛠️ Building GitLab MCP server image"
+	podman build -t $(IMG) .
+
+# Notes:
+# - $(ENV_FILE) is expected to define _URL & JIRA_API_TOKEN.
+# - The --tty option is used here since we might run this in a
+#   terminal, but for the mcp.json version we don't use --tty.
+# - You can use Ctrl-D to quit nicely.
+run:
+	@podman run -i --tty --rm --env-file $(ENV_FILE) $(IMG)
+
+clean:
+	podman rmi -i $(IMG)
+
+# For easier onboarding (and convenient hacking and testing), use this to
+# configure Cursor by adding or updating an entry in the ~/.cursor/mcp.json
+# file. Beware it might overwrite your customizations.
+MCP_JSON=$(HOME)/.cursor/mcp.json
+cursor-config:
+	@echo "🛠️ Modifying $(MCP_JSON)"
+	@yq -ojson '. *= load("example.mcp.json")' -i $(MCP_JSON)
+	@yq -ojson $(MCP_JSON)
+
+# Copy the example .env file only if it doesn't exist already
+$(ENV_FILE):
+	@cp example.env $@
+	@echo "🛠️ Env file created. Edit $@ to add your Jira token"
+
+setup: build cursor-config $(ENV_FILE)

README.md

@@ -105,12 +105,35 @@ The MCP follows:
 ```bash
 # Required
 export MCP_GITLAB_TOKEN="your-gitlab-token"
+export MCP_ALLOWED_REPOS="patterns"         # Repository patterns (REQUIRED)
 
 # Optional
 export GITLAB_URL="https://gitlab.example.com"
 export MCP_MAX_API_CALLS="100"
-export MCP_ALLOWED_ACTIONS="read"
-export MCP_ALLOWED_REPOS="project1,project2"  # Empty = all allowed
+```
+
+**Note**: Actions are hardcoded to read-only for security - write operations are never permitted.
+
+### 🔒 Repository Access Control (Updated)
+
+`MCP_ALLOWED_REPOS` is **required** and specifies which repositories can be accessed using wildcard patterns.
+
+**Pattern Examples**:
+```bash
+# Specific repositories only
+export MCP_ALLOWED_REPOS="repo1,repo2"
+
+# All repositories in a group  
+export MCP_ALLOWED_REPOS="automotive/*"
+
+# Specific subgroup
+export MCP_ALLOWED_REPOS="automotive/pipe-x/*"
+
+# Mixed patterns (most flexible)
+export MCP_ALLOWED_REPOS="repo1,automotive/*,group3/sub-group3/*,projectabc"
+
+# Any user's specific repository
+export MCP_ALLOWED_REPOS="*/downstream-pipelines-as-code"
 ```
 
 ## Example Workflows

Usage_steps.md

@@ -0,0 +1,24 @@
+# GitLab MCP Server Configuration
+# Edit these values for your GitLab instance
+
+# Required: GitLab personal access token
+MCP_GITLAB_TOKEN=${YOUR_MCP_GITLAB_TOKEN}
+
+# Required: Comma-separated list of allowed repositories
+# Examples:
+#   Specific repos: MCP_ALLOWED_REPOS=systemd-tests,my-project,123
+#   Group wildcards: MCP_ALLOWED_REPOS=tekton/*,redhat-ai-tools/*
+#   Mixed: MCP_ALLOWED_REPOS=specific-repo,group/*,12345
+MCP_ALLOWED_REPOS=redhat/edge/ci-cd/pipe-x/*
+
+# Optional: Custom GitLab URL (defaults to gitlab.com)
+GITLAB_URL=https://gitlab.com
+
+# Optional: Transport mode (stdio or http)
+MCP_TRANSPORT=stdio
+
+# Optional: API rate limiting
+MCP_MAX_API_CALLS=100
+
+# Optional: Allowed actions (comma-separated)
+MCP_ALLOWED_ACTIONS=read,search,list,check

example.env

@@ -0,0 +1,16 @@
+{
+  "mcpServers": {
+    "jiraMcp": {
+      "command": "podman",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "--env-file",
+        "~/.rh-gitlab-mcp.env",
+        "localhost/gitlab_mcp_server:latest"
+      ],
+      "description": "A containerized MCP server to query gitlab projects"
+    }
+  }
+}

example.mcp.json

@@ -8,6 +8,7 @@
 import json
 import logging
 import time
+import fnmatch
 from collections import defaultdict
 from typing import Any, Dict, List, Optional
 import asyncio
@@ -28,8 +29,20 @@ class GitLabConfig:
     def __init__(self):
         # While using a client like cursor limit the api calls, actions & repos
         self.max_api_calls_per_hour = int(os.getenv("MCP_MAX_API_CALLS", "100"))
-        self.allowed_actions = os.getenv("MCP_ALLOWED_ACTIONS", "read").split(",")
-        self.allowed_repos = os.getenv("MCP_ALLOWED_REPOS", "").split(",") if os.getenv("MCP_ALLOWED_REPOS") else []
+        
+        # CRITICAL: Hardcoded read-only actions for security - no configuration allowed
+        # For security, we only allow read-only queries - write operations are never permitted
+        self.allowed_actions = ['read', 'list', 'search', 'get', 'check', 'info', 'describe', 'find']
+        
+        # Parse MCP_ALLOWED_REPOS with support for wildcards: repo1,group1/*,group2/subgroup/*,exact-project
+        # This is now a REQUIRED environment variable
+        allowed_repos_env = os.getenv("MCP_ALLOWED_REPOS")
+        if not allowed_repos_env:
+            raise ValueError("MCP_ALLOWED_REPOS is required. Set repository patterns like 'automotive/*,project1,group/subgroup/*'")
+        
+        self.allowed_repos = [repo.strip() for repo in allowed_repos_env.split(",") if repo.strip()]
+        if not self.allowed_repos:
+            raise ValueError("MCP_ALLOWED_REPOS cannot be empty. Specify at least one repository pattern.")
 
         # Rate limiting tracking
         self.api_calls = defaultdict(list)
@@ -42,13 +55,33 @@ def __init__(self):
         if not self.gitlab_token:
             raise ValueError("GitLab token required. Set MCP_GITLAB_TOKEN environment variable")
 
+        # SSL Configuration options
+        ssl_verify = os.getenv("MCP_SSL_VERIFY", "true").lower() == "true"
+        ssl_ca_bundle = os.getenv("MCP_SSL_CA_BUNDLE")  # Path to CA bundle file
+        
+        # Build GitLab client configuration
+        gitlab_config = {
+            "url": self.gitlab_url,
+            "private_token": self.gitlab_token,
+            "ssl_verify": ssl_verify
+        }
+        
+        # Add CA bundle if provided
+        if ssl_ca_bundle and ssl_verify:
+            gitlab_config["ssl_ca_bundle"] = ssl_ca_bundle
+            logger.info(f"🔒 Using SSL CA bundle: {ssl_ca_bundle}")
+        elif not ssl_verify:
+            logger.warning(f"⚠️  SSL verification disabled - not recommended for production!")
+        
         # Initialize GitLab client
-        self.gl = gitlab.Gitlab(self.gitlab_url, private_token=self.gitlab_token)
+        self.gl = gitlab.Gitlab(**gitlab_config)
 
         # Log configuration
         logger.info(f"🔒 Max API calls/hour: {self.max_api_calls_per_hour}")
-        logger.info(f"🔒 Allowed actions: {self.allowed_actions}")
-        logger.info(f"🔒 Allowed repos: {self.allowed_repos if self.allowed_repos != [''] else 'ALL'}")
+        logger.info(f"🔒🛡️  SECURITY: Read-only mode hardcoded (write operations never permitted)")
+        logger.info(f"ℹ️ Allowed actions: {self.allowed_actions}")
+        logger.info(f"🔒 Allowed repos (wildcard patterns): {self.allowed_repos}")
+        logger.info(f"ℹ️ Pattern examples: 'repo-name', 'group/*', 'group/subgroup/*', 'group/project'")
         logger.info(f"🔗 GitLab URL: {self.gitlab_url}")
 
 # Global configuration instance
@@ -156,25 +189,78 @@ def check_rate_limit() -> bool:
     return True
 
 def check_action_allowed(action: str) -> bool:
-    """Check if action is permitted"""
-    if action in config.allowed_actions or "all" in config.allowed_actions:
+    """Check if action is permitted - hardcoded read-only mode for security"""
+    action_lower = action.lower()
+    
+    # Check against hardcoded allowed read-only actions
+    if action_lower in [act.lower() for act in config.allowed_actions]:
         return True
-    logger.warning(f"🚫 Action not allowed: {action}")
+    
+    # Block any write actions with explicit security warning
+    forbidden_actions = ['write', 'create', 'update', 'delete', 'modify', 'push', 'merge', 'approve', 'deploy', 'change']
+    if any(forbidden in action_lower for forbidden in forbidden_actions):
+        logger.error(f"🚫🔒 SECURITY: Write action blocked: {action}")
+        return False
+    
+    # Log any unknown actions for security monitoring
+    logger.warning(f"🚫 Action not allowed: {action} (only read-only actions permitted)")
     return False
 
-def check_repo_allowed(project_id: str) -> bool:
-    """Check repository access permissions"""
-    if not config.allowed_repos or config.allowed_repos == ['']:
+def match_repo_pattern(project_path: str, pattern: str) -> bool:
+    """
+    Check if a project path matches a given pattern.
+    
+    Supports various patterns:
+    - Exact match: "my-repo" or "group/my-repo"
+    - Group wildcard: "group/*" (matches all repos in group)
+    - Subgroup wildcard: "group/subgroup/*" (matches all repos in subgroup)
+    - Mixed patterns: supports any combination
+    
+    Args:
+        project_path: Full project path like "group/subgroup/project"
+        pattern: Pattern to match against, e.g. "group/*", "exact-name", etc.
+    
+    Returns:
+        bool: True if project matches the pattern
+    """
+    if not pattern or not project_path:
+        return False
+    
+    # Remove leading/trailing whitespace
+    pattern = pattern.strip()
+    project_path = project_path.strip()
+    
+    # Exact match (including project ID as string)
+    if pattern == project_path:
         return True
 
+    # Wildcard pattern matching
+    if '*' in pattern:
+        # Use fnmatch for shell-style wildcards
+        return fnmatch.fnmatch(project_path, pattern)
+    
+    # No match
+    return False
+
+def check_repo_allowed(project_id: str) -> bool:
+    """Check repository access permissions against MCP_ALLOWED_REPOS patterns"""
     try:
         project = config.gl.projects.get(project_id)
         project_name = project.path_with_namespace
 
-        if project_id in config.allowed_repos or project_name in config.allowed_repos:
-            return True
+        # Check against each allowed pattern
+        for allowed_pattern in config.allowed_repos:
+            allowed_pattern = allowed_pattern.strip()
+            
+            # Check if project ID matches (for backward compatibility)
+            if project_id == allowed_pattern:
+                return True
+            
+            # Check if project path matches the pattern
+            if match_repo_pattern(project_name, allowed_pattern):
+                return True
 
-        logger.warning(f"🚫 Repo not allowed: {project_name}")
+        logger.warning(f"🚫 Repo not allowed: {project_name} (allowed patterns: {config.allowed_repos})")
         return False
     except Exception:
         logger.warning(f"🚫 Could not verify repo access: {project_id}")