-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathbasic_usage.py
More file actions
352 lines (286 loc) · 11 KB
/
basic_usage.py
File metadata and controls
352 lines (286 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
#!/usr/bin/env python3
"""
Basic SchemaPin Usage Example
This example demonstrates how to use SchemaPin integration with MockLoop MCP
for basic schema verification and key pinning scenarios.
"""
import asyncio
import json
import sys
from pathlib import Path
# Add src to path for imports
sys.path.insert(0, str(Path(__file__).parent.parent.parent / "src"))
from mockloop_mcp.schemapin import (
SchemaPinConfig,
SchemaVerificationInterceptor,
KeyPinningManager,
PolicyHandler,
SchemaPinAuditLogger,
VerificationResult,
PolicyAction
)
async def basic_verification_example():
"""Demonstrate basic schema verification workflow."""
print("=== Basic Schema Verification Example ===\n")
# 1. Configure SchemaPin
config = SchemaPinConfig(
enabled=True,
policy_mode="warn", # Options: enforce, warn, log
auto_pin_keys=False,
key_pin_storage_path="example_keys.db",
trusted_domains=["api.example.com"],
interactive_mode=False
)
print(f"✓ SchemaPin configured: policy_mode={config.policy_mode}")
# 2. Initialize verification interceptor
interceptor = SchemaVerificationInterceptor(config)
print("✓ Verification interceptor initialized")
# 3. Define a tool schema (what you'd get from an MCP tool)
tool_schema = {
"name": "database_query",
"description": "Execute SQL queries against database",
"parameters": {
"type": "object",
"properties": {
"query": {
"type": "string",
"description": "SQL query to execute"
},
"database": {
"type": "string",
"description": "Target database name",
"default": "main"
}
},
"required": ["query"]
}
}
# 4. Simulate verification scenarios
print("\n--- Scenario 1: Unsigned tool (no signature) ---")
result = await interceptor.verify_tool_schema(
tool_name="database_query",
schema=tool_schema,
signature=None, # No signature provided
domain="api.example.com"
)
print(f"Valid: {result.valid}")
print(f"Error: {result.error}")
print(f"Tool ID: {result.tool_id}")
print("\n--- Scenario 2: Tool with signature but no pinned key ---")
# In real usage, this would be a cryptographic signature
mock_signature = "eyJhbGciOiJFUzI1NiJ9.mock_signature_data"
result = await interceptor.verify_tool_schema(
tool_name="database_query",
schema=tool_schema,
signature=mock_signature,
domain="api.example.com"
)
print(f"Valid: {result.valid}")
print(f"Domain: {result.domain}")
print(f"Key pinned: {result.key_pinned}")
if result.error:
print(f"Error: {result.error}")
async def key_management_example():
"""Demonstrate key pinning and management."""
print("\n=== Key Management Example ===\n")
# Initialize key manager
key_manager = KeyPinningManager("example_keys.db")
print("✓ Key manager initialized")
# Example public key (in real usage, this would be discovered or provided)
example_public_key = """-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEExample1234567890abcdefghijklmn
opqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890example
-----END PUBLIC KEY-----"""
# Pin a key for a tool
tool_id = "api.example.com/database_query"
domain = "api.example.com"
metadata = {
"developer": "Example Corp",
"version": "1.0.0",
"description": "Database query tool"
}
success = key_manager.pin_key(tool_id, domain, example_public_key, metadata)
print(f"✓ Key pinned successfully: {success}")
# Retrieve pinned key
retrieved_key = key_manager.get_pinned_key(tool_id)
print(f"✓ Key retrieved: {retrieved_key is not None}")
# Check if key is pinned
is_pinned = key_manager.is_key_pinned(tool_id)
print(f"✓ Key is pinned: {is_pinned}")
# Get detailed key information
key_info = key_manager.get_key_info(tool_id)
if key_info:
print(f"✓ Key info - Domain: {key_info['domain']}")
print(f"✓ Key info - Pinned at: {key_info['pinned_at']}")
print(f"✓ Key info - Verification count: {key_info['verification_count']}")
print(f"✓ Key info - Developer: {key_info['metadata']['developer']}")
# List all pinned keys
pinned_keys = key_manager.list_pinned_keys()
print(f"✓ Total pinned keys: {len(pinned_keys)}")
# Update verification stats (simulating successful verification)
key_manager.update_verification_stats(tool_id)
print("✓ Verification stats updated")
# Get updated info
updated_info = key_manager.get_key_info(tool_id)
if updated_info:
print(f"✓ Updated verification count: {updated_info['verification_count']}")
async def policy_enforcement_example():
"""Demonstrate policy enforcement scenarios."""
print("\n=== Policy Enforcement Example ===\n")
# Test different policy modes
policy_modes = ["enforce", "warn", "log"]
for mode in policy_modes:
print(f"--- Testing {mode.upper()} mode ---")
config = SchemaPinConfig(policy_mode=mode)
policy_handler = PolicyHandler(config)
# Simulate failed verification
failed_result = VerificationResult(
valid=False,
tool_id="untrusted.com/suspicious_tool",
domain="untrusted.com",
error="Signature verification failed"
)
decision = await policy_handler.evaluate_verification_result(
failed_result, "suspicious_tool"
)
print(f" Action: {decision.action.value}")
print(f" Reason: {decision.reason}")
print(f" Policy mode: {decision.policy_mode}")
# Show what each action means
if decision.action == PolicyAction.BLOCK:
print(" → Tool execution would be BLOCKED")
elif decision.action == PolicyAction.WARN:
print(" → Tool execution would proceed with WARNING")
elif decision.action == PolicyAction.LOG:
print(" → Tool execution would proceed with LOGGING only")
print()
async def audit_logging_example():
"""Demonstrate audit logging capabilities."""
print("\n=== Audit Logging Example ===\n")
# Initialize audit logger
audit_logger = SchemaPinAuditLogger("example_audit.db")
print("✓ Audit logger initialized")
# Log various events
print("Logging verification events...")
# Successful verification
success_result = VerificationResult(
valid=True,
tool_id="api.example.com/secure_tool",
domain="api.example.com",
key_pinned=True
)
await audit_logger.log_verification_attempt(
"api.example.com/secure_tool",
"api.example.com",
success_result,
execution_time_ms=125.5
)
# Failed verification
await audit_logger.log_verification_error(
"malicious.com/bad_tool",
"malicious.com",
"Invalid signature detected"
)
# Key pinning event
await audit_logger.log_key_pinning_event(
"new.com/new_tool",
"new.com",
"new_public_key",
"pin"
)
# Policy decision
await audit_logger.log_policy_decision(
"questionable.com/tool",
"warn",
"Unsigned tool execution",
"warn"
)
print("✓ Events logged")
# Get verification statistics
stats = audit_logger.get_verification_stats()
print("\n--- Audit Statistics ---")
print(f"Total verifications: {stats.get('total_verifications', 0)}")
print(f"Successful verifications: {stats.get('successful_verifications', 0)}")
print(f"Failed verifications: {stats.get('failed_verifications', 0)}")
print(f"Unique tools: {stats.get('unique_tools', 0)}")
print(f"Unique domains: {stats.get('unique_domains', 0)}")
if 'policy_breakdown' in stats:
print("\nPolicy action breakdown:")
for action, count in stats['policy_breakdown'].items():
print(f" {action}: {count}")
async def configuration_example():
"""Demonstrate configuration management."""
print("\n=== Configuration Management Example ===\n")
# Create custom configuration
config = SchemaPinConfig(
enabled=True,
policy_mode="enforce",
auto_pin_keys=True,
key_pin_storage_path="production_keys.db",
discovery_timeout=60,
cache_ttl=7200,
well_known_endpoints={
"api.example.com": "https://api.example.com/.well-known/schemapin.json",
"tools.corp.com": "https://tools.corp.com/security/schemapin.json"
},
trusted_domains=[
"api.example.com",
"tools.corp.com",
"internal.company.com"
],
revocation_check=True,
interactive_mode=False
)
print("✓ Custom configuration created")
# Save configuration to file
config.save_to_file("schemapin_config.json")
print("✓ Configuration saved to file")
# Load configuration from file
loaded_config = SchemaPinConfig.load_from_file("schemapin_config.json")
print("✓ Configuration loaded from file")
# Verify configuration
print(f"Policy mode: {loaded_config.policy_mode}")
print(f"Auto-pin keys: {loaded_config.auto_pin_keys}")
print(f"Trusted domains: {len(loaded_config.trusted_domains)}")
print(f"Discovery timeout: {loaded_config.discovery_timeout}s")
# Convert to dictionary for inspection
config_dict = loaded_config.to_dict()
print("\nConfiguration as dictionary:")
print(json.dumps(config_dict, indent=2))
async def main():
"""Run all examples."""
print("SchemaPin Integration Examples")
print("=" * 50)
try:
await basic_verification_example()
await key_management_example()
await policy_enforcement_example()
await audit_logging_example()
await configuration_example()
print("\n" + "=" * 50)
print("✓ All examples completed successfully!")
print("\nNext steps:")
print("1. Review the generated database files (example_keys.db, example_audit.db)")
print("2. Examine the configuration file (schemapin_config.json)")
print("3. Integrate SchemaPin verification into your MCP tools")
print("4. Set up proper key discovery endpoints for your domains")
except Exception as e:
print(f"\n❌ Error running examples: {e}")
import traceback
traceback.print_exc()
finally:
# Clean up example files
cleanup_files = [
"example_keys.db",
"example_audit.db",
"schemapin_config.json"
]
print("\nCleaning up example files...")
for file_path in cleanup_files:
try:
Path(file_path).unlink(missing_ok=True)
print(f"✓ Removed {file_path}")
except Exception as e:
print(f"⚠ Could not remove {file_path}: {e}")
if __name__ == "__main__":
asyncio.run(main())