forked from HomeLab/unraid-mcp
184b8aca1c
**Critical Fixes (7 issues):**
- Fix GraphQL schema field names in users tool (role→roles, remove email)
- Fix GraphQL mutation signatures (addUserInput, deleteUser input)
- Fix dict(None) TypeError guards in users tool (use `or {}` pattern)
- Fix FastAPI version constraint (0.116.1→0.115.0)
- Fix WebSocket SSL context handling (support CA bundles, bool, and None)
- Fix critical disk threshold treated as warning (split counters)
**High Priority Fixes (11 issues):**
- Fix Docker update/remove action response field mapping
- Fix path traversal vulnerability in log validation (normalize paths)
- Fix deleteApiKeys validation (check response before success)
- Fix rclone create_remote validation (check response)
- Fix keys input_data type annotation (dict[str, Any])
- Fix VM domain/domains fallback restoration
**Changes by file:**
- unraid_mcp/tools/docker.py: Response field mapping
- unraid_mcp/tools/info.py: Split critical/warning counters
- unraid_mcp/tools/storage.py: Path normalization for traversal protection
- unraid_mcp/tools/users.py: GraphQL schema + null handling
- unraid_mcp/tools/keys.py: Validation + type annotations
- unraid_mcp/tools/rclone.py: Response validation
- unraid_mcp/tools/virtualization.py: Domain fallback
- unraid_mcp/subscriptions/manager.py: SSL context creation
- pyproject.toml: FastAPI version fix
- tests/*: New tests for all fixes
**Review threads resolved:**
PRRT_kwDOO6Hdxs5uu70L, PRRT_kwDOO6Hdxs5uu70O, PRRT_kwDOO6Hdxs5uu70V,
PRRT_kwDOO6Hdxs5uu70e, PRRT_kwDOO6Hdxs5uu70i, PRRT_kwDOO6Hdxs5uu7zn,
PRRT_kwDOO6Hdxs5uu7z_, PRRT_kwDOO6Hdxs5uu7sI, PRRT_kwDOO6Hdxs5uu7sJ,
PRRT_kwDOO6Hdxs5uu7sK, PRRT_kwDOO6Hdxs5uu7Tk, PRRT_kwDOO6Hdxs5uu7Tn,
PRRT_kwDOO6Hdxs5uu7Tr, PRRT_kwDOO6Hdxs5uu7Ts, PRRT_kwDOO6Hdxs5uu7Tu,
PRRT_kwDOO6Hdxs5uu7Tv, PRRT_kwDOO6Hdxs5uu7Tw, PRRT_kwDOO6Hdxs5uu7Tx
All tests passing.
Co-authored-by: docker-fixer <agent@pr-fixes>
Co-authored-by: info-fixer <agent@pr-fixes>
Co-authored-by: storage-fixer <agent@pr-fixes>
Co-authored-by: users-fixer <agent@pr-fixes>
Co-authored-by: config-fixer <agent@pr-fixes>
Co-authored-by: websocket-fixer <agent@pr-fixes>
Co-authored-by: keys-rclone-fixer <agent@pr-fixes>
Co-authored-by: vm-fixer <agent@pr-fixes>
150 lines
5.1 KiB
Python
150 lines
5.1 KiB
Python
"""API key management.
|
|
|
|
Provides the `unraid_keys` tool with 5 actions for listing, viewing,
|
|
creating, updating, and deleting API keys.
|
|
"""
|
|
|
|
from typing import Any, Literal
|
|
|
|
from fastmcp import FastMCP
|
|
|
|
from ..config.logging import logger
|
|
from ..core.client import make_graphql_request
|
|
from ..core.exceptions import ToolError
|
|
|
|
QUERIES: dict[str, str] = {
|
|
"list": """
|
|
query ListApiKeys {
|
|
apiKeys { id name roles permissions createdAt lastUsed }
|
|
}
|
|
""",
|
|
"get": """
|
|
query GetApiKey($id: PrefixedID!) {
|
|
apiKey(id: $id) { id name roles permissions createdAt lastUsed }
|
|
}
|
|
""",
|
|
}
|
|
|
|
MUTATIONS: dict[str, str] = {
|
|
"create": """
|
|
mutation CreateApiKey($input: CreateApiKeyInput!) {
|
|
createApiKey(input: $input) { id name key roles }
|
|
}
|
|
""",
|
|
"update": """
|
|
mutation UpdateApiKey($input: UpdateApiKeyInput!) {
|
|
updateApiKey(input: $input) { id name roles }
|
|
}
|
|
""",
|
|
"delete": """
|
|
mutation DeleteApiKeys($input: DeleteApiKeysInput!) {
|
|
deleteApiKeys(input: $input)
|
|
}
|
|
""",
|
|
}
|
|
|
|
DESTRUCTIVE_ACTIONS = {"delete"}
|
|
|
|
KEY_ACTIONS = Literal[
|
|
"list", "get", "create", "update", "delete",
|
|
]
|
|
|
|
|
|
def register_keys_tool(mcp: FastMCP) -> None:
|
|
"""Register the unraid_keys tool with the FastMCP instance."""
|
|
|
|
@mcp.tool()
|
|
async def unraid_keys(
|
|
action: KEY_ACTIONS,
|
|
confirm: bool = False,
|
|
key_id: str | None = None,
|
|
name: str | None = None,
|
|
roles: list[str] | None = None,
|
|
permissions: list[str] | None = None,
|
|
) -> dict[str, Any]:
|
|
"""Manage Unraid API keys.
|
|
|
|
Actions:
|
|
list - List all API keys
|
|
get - Get a specific API key (requires key_id)
|
|
create - Create a new API key (requires name; optional roles, permissions)
|
|
update - Update an API key (requires key_id; optional name, roles)
|
|
delete - Delete API keys (requires key_id, confirm=True)
|
|
"""
|
|
all_actions = set(QUERIES) | set(MUTATIONS)
|
|
if action not in all_actions:
|
|
raise ToolError(f"Invalid action '{action}'. Must be one of: {sorted(all_actions)}")
|
|
|
|
if action in DESTRUCTIVE_ACTIONS and not confirm:
|
|
raise ToolError(f"Action '{action}' is destructive. Set confirm=True to proceed.")
|
|
|
|
try:
|
|
logger.info(f"Executing unraid_keys action={action}")
|
|
|
|
if action == "list":
|
|
data = await make_graphql_request(QUERIES["list"])
|
|
keys = data.get("apiKeys", [])
|
|
return {"keys": list(keys) if isinstance(keys, list) else []}
|
|
|
|
if action == "get":
|
|
if not key_id:
|
|
raise ToolError("key_id is required for 'get' action")
|
|
data = await make_graphql_request(QUERIES["get"], {"id": key_id})
|
|
return dict(data.get("apiKey", {}))
|
|
|
|
if action == "create":
|
|
if not name:
|
|
raise ToolError("name is required for 'create' action")
|
|
input_data: dict[str, Any] = {"name": name}
|
|
if roles:
|
|
input_data["roles"] = roles
|
|
if permissions:
|
|
input_data["permissions"] = permissions
|
|
data = await make_graphql_request(
|
|
MUTATIONS["create"], {"input": input_data}
|
|
)
|
|
return {
|
|
"success": True,
|
|
"key": data.get("createApiKey", {}),
|
|
}
|
|
|
|
if action == "update":
|
|
if not key_id:
|
|
raise ToolError("key_id is required for 'update' action")
|
|
input_data: dict[str, Any] = {"id": key_id}
|
|
if name:
|
|
input_data["name"] = name
|
|
if roles:
|
|
input_data["roles"] = roles
|
|
data = await make_graphql_request(
|
|
MUTATIONS["update"], {"input": input_data}
|
|
)
|
|
return {
|
|
"success": True,
|
|
"key": data.get("updateApiKey", {}),
|
|
}
|
|
|
|
if action == "delete":
|
|
if not key_id:
|
|
raise ToolError("key_id is required for 'delete' action")
|
|
data = await make_graphql_request(
|
|
MUTATIONS["delete"], {"input": {"ids": [key_id]}}
|
|
)
|
|
result = data.get("deleteApiKeys")
|
|
if not result:
|
|
raise ToolError(f"Failed to delete API key '{key_id}': no confirmation from server")
|
|
return {
|
|
"success": True,
|
|
"message": f"API key '{key_id}' deleted",
|
|
}
|
|
|
|
raise ToolError(f"Unhandled action '{action}' — this is a bug")
|
|
|
|
except ToolError:
|
|
raise
|
|
except Exception as e:
|
|
logger.error(f"Error in unraid_keys action={action}: {e}", exc_info=True)
|
|
raise ToolError(f"Failed to execute keys/{action}: {str(e)}") from e
|
|
|
|
logger.info("Keys tool registered successfully")
|