mirror of
https://github.com/jmagar/unraid-mcp.git
synced 2026-03-02 08:14:43 -08:00
316193c04b
Addresses all critical, high, medium, and low issues from full codebase review. 494 tests pass, ruff clean, ty type-check clean. Security: - Add tool_error_handler context manager (exceptions.py) — standardised error handling, eliminates 11 bare except-reraise patterns - Remove unused exception subclasses (ConfigurationError, UnraidAPIError, SubscriptionError, ValidationError, IdempotentOperationError) - Harden GraphQL subscription query validator with allow-list and forbidden-keyword regex (diagnostics.py) - Add input validation for rclone create_remote config_data: injection, path-traversal, and key-count limits (rclone.py) - Validate notifications importance enum before GraphQL request (notifications.py) - Sanitise HTTP/network/JSON error messages — no raw exception strings leaked to clients (client.py) - Strip path/creds from displayed API URL via _safe_display_url (health.py) - Enable Ruff S (bandit) rule category in pyproject.toml - Harden container mutations to strict-only matching — no fuzzy/substring for destructive operations (docker.py) Performance: - Token-bucket rate limiter (90 tokens, 9 req/s) with 429 retry backoff (client.py) - Lazy asyncio.Lock init via _get_client_lock() — fixes event-loop module-load crash (client.py) - Double-checked locking in get_http_client() for fast-path (client.py) - Short hex container ID fast-path skips list fetch (docker.py) - Cap resource_data log content to 1 MB / 5,000 lines (manager.py) - Reset reconnect counter after 30 s stable connection (manager.py) - Move tail_lines validation to module level; enforce 10,000 line cap (storage.py, docker.py) - force_terminal=True removed from logging RichHandler (logging.py) Architecture: - Register diagnostic tools in server startup (server.py) - Move ALL_ACTIONS computation to module level in all tools - Consolidate format_kb / format_bytes into shared core/utils.py - Add _safe_get() helper in core/utils.py for nested dict traversal - Extract _analyze_subscription_status() from health.py diagnose handler - Validate required config at startup — fail fast with CRITICAL log (server.py) Code quality: - Remove ~90 lines of dead Rich formatting helpers from logging.py - Remove dead self.websocket attribute from SubscriptionManager - Remove dead setup_uvicorn_logging() wrapper - Move _VALID_IMPORTANCE to module level (N806 fix) - Add slots=True to all three dataclasses (SubscriptionData, SystemHealth, APIResponse) - Fix None rendering as literal "None" string in info.py summaries - Change fuzzy-match log messages from INFO to DEBUG (docker.py) - UTC-aware datetimes throughout (manager.py, diagnostics.py) Infrastructure: - Upgrade base image python:3.11-slim → python:3.12-slim (Dockerfile) - Add non-root appuser (UID/GID 1000) with HEALTHCHECK (Dockerfile) - Add read_only, cap_drop: ALL, tmpfs /tmp to docker-compose.yml - Single-source version via importlib.metadata (pyproject.toml → __init__.py) - Add open_timeout to all websockets.connect() calls Tests: - Update error message matchers to match sanitised messages (test_client.py) - Fix patch targets for UNRAID_API_URL → utils module (test_subscriptions.py) - Fix importance="info" → importance="normal" (test_notifications.py, http_layer) - Fix naive datetime fixtures → UTC-aware (test_subscriptions.py) Co-authored-by: Claude <claude@anthropic.com>
55 lines
1.6 KiB
Python
55 lines
1.6 KiB
Python
"""Shared utilities for the subscription system."""
|
|
|
|
import ssl as _ssl
|
|
|
|
from ..config.settings import UNRAID_API_URL, UNRAID_VERIFY_SSL
|
|
|
|
|
|
def build_ws_url() -> str:
|
|
"""Build a WebSocket URL from the configured UNRAID_API_URL.
|
|
|
|
Converts http(s) scheme to ws(s) and ensures /graphql path suffix.
|
|
|
|
Returns:
|
|
The WebSocket URL string (e.g. "wss://10.1.0.2:31337/graphql").
|
|
|
|
Raises:
|
|
ValueError: If UNRAID_API_URL is not configured.
|
|
"""
|
|
if not UNRAID_API_URL:
|
|
raise ValueError("UNRAID_API_URL is not configured")
|
|
|
|
if UNRAID_API_URL.startswith("https://"):
|
|
ws_url = "wss://" + UNRAID_API_URL[len("https://") :]
|
|
elif UNRAID_API_URL.startswith("http://"):
|
|
ws_url = "ws://" + UNRAID_API_URL[len("http://") :]
|
|
else:
|
|
ws_url = UNRAID_API_URL
|
|
|
|
if not ws_url.endswith("/graphql"):
|
|
ws_url = ws_url.rstrip("/") + "/graphql"
|
|
|
|
return ws_url
|
|
|
|
|
|
def build_ws_ssl_context(ws_url: str) -> _ssl.SSLContext | None:
|
|
"""Build an SSL context for WebSocket connections when using wss://.
|
|
|
|
Args:
|
|
ws_url: The WebSocket URL to connect to.
|
|
|
|
Returns:
|
|
An SSLContext configured per UNRAID_VERIFY_SSL, or None for non-TLS URLs.
|
|
"""
|
|
if not ws_url.startswith("wss://"):
|
|
return None
|
|
if isinstance(UNRAID_VERIFY_SSL, str):
|
|
return _ssl.create_default_context(cafile=UNRAID_VERIFY_SSL)
|
|
if UNRAID_VERIFY_SSL:
|
|
return _ssl.create_default_context()
|
|
# Explicitly disable verification (equivalent to verify=False)
|
|
ctx = _ssl.SSLContext(_ssl.PROTOCOL_TLS_CLIENT)
|
|
ctx.check_hostname = False
|
|
ctx.verify_mode = _ssl.CERT_NONE
|
|
return ctx
|