DIARCHERS-1396: MCP-dedicated API layer with rate limiting, auth, and audit (#610)

* DIARCHERS-1396: add MCP-dedicated API layer with rate limiting, auth, and audit

- DB migration 00046: mcp_token and mcp_access_log tables
- api/handlers/mcp/auth.py: ib_mcp_* bearer token validation, project/trigger access checks
- api/handlers/mcp/rate_limit.py: Redis sliding-window per-user per-endpoint rate limiter (fail-open)
- api/handlers/mcp/audit.py: fire-and-forget audit logging to mcp_access_log
- api/handlers/mcp/token_routes.py: token CRUD at /api/v1/mcp/tokens/*
- api/handlers/mcp/routes/: /api/v1/mcp/* endpoints for projects, builds, jobs, artifacts, trigger
- infrabox/test/api/mcp_test.py: 21 unit tests covering hash, access checks, rate limiter

* fix: add mcp_token and mcp_access_log to test teardown TRUNCATE

* fix: address code review findings on MCP API layer

- ibflask.py: recognize ib_mcp_ prefix in get_token() to skip JWT
  decode; normalize_token() passes mcp type through unchanged
- policies/mcp.rego: add OPA rules allowing mcp tokens on
  /api/v1/mcp/* data paths and session users on tokens management path
- auth.py: fix per-project expiry check to handle naive vs aware
  datetime; treat malformed expiry as denied instead of granted
- routes/builds.py: add LOCK TABLE before MAX(build_number)+1 INSERT
  to prevent duplicate build numbers under concurrency; move uuid
  import to top; drop premature audit 'attempt' before lock
- routes/projects.py: add collaborator JOIN on MCP token path so
  revoked collaborators cannot enumerate project metadata
- rate_limit.py: reset _redis_client to None on pipeline error so
  reconnect is attempted on the next request
- token_routes.py: replace inline hashlib.sha256 with _hash_token();
  move json/hashlib imports to top; fix MCPTokenTrigger.post docstring
  (permanent grant, not time-limited); remove dead body variable;
  add try/except around int(expires_days) conversion
- audit.py: remove unused threading import; fix misleading docstring;
  move json import to top
- 00046.sql: add retention comment for mcp_access_log pruning

* fix: return dict/list from flask-restx Resource methods instead of jsonify()

flask-restx's make_response wrapper cannot accept a Flask Response
object as data — it tries to JSON-serialize it and raises TypeError.
All mcp handler methods must return plain dict/list (+ optional status
code), not jsonify() Response objects.

* fix: use abort() instead of jsonify() in mcp_auth_required _reject()

flask-restx make_response cannot accept Flask Response objects;
_reject() must raise via abort() so the error handler formats the
response, not the Resource wrapper.

* fix: rename migration 00046.sql to 00047.sql to avoid version collision

The test environment DB already has schema_version=46 from a prior
development iteration (global_token columns) that was later consolidated
into 00045.sql. Keeping mcp_token/mcp_access_log as 00046 causes the
migration runner to skip it. Renaming to 00047 ensures it runs on any
environment where 00046 is already marked as applied.

mcp.rego is automatically included in the OPA image via the existing
Dockerfile COPY instruction (src/openpolicyagent/policies → /policies),
so no separate deployment step is needed.

* feat: extend global token OPA policies to cover builds, jobs, and trigger

Global tokens were only authorized for project list/detail endpoints.
All project-scoped read endpoints (builds, jobs, console, testresults,
archive, stats, etc.) returned 401 because no OPA allow rules existed
for token.type = "global".

This commit adds the missing allow rules across all affected policy
files, following the same collaborator-check pattern already used for
user tokens:

- Read operations (builds, jobs and all sub-resources): allowed when
  global_token.user_id is a collaborator on the target project.
- Write operations (restart, abort, rerun, cache-clear, trigger):
  additionally require global_token.scope_push = true.

Also fixes a latent bug in projects_commits.rego and trigger.rego
where the helper functions referenced an undefined `project` variable
instead of the correct `project_id` parameter.

New OPA test cases in global_viewer_test.rego cover:
- builds list and single build allowed for collaborator
- job console and stats allowed for collaborator
- read denied for non-collaborator project
- restart/trigger denied without scope_push
- restart/trigger allowed with scope_push

* fix: add missing source column to build table and cover trigger route with tests

- Add ALTER TABLE build ADD COLUMN source VARCHAR(64) to 00047.sql;
  the MCPTrigger.post INSERT referenced this column but it was never
  created in any migration, causing a runtime DB error on every trigger call
- Add TestMCPBuildsGet and TestMCPTriggerPost unit test classes to
  mcp_test.py covering happy path, access control, project type guard,
  and DB failure; test_trigger_inserts_source_column is a regression guard
  for the missing column

* fix: fix list builds SQL — join commit/job tables for branch/status/dates

* fix: remove dropped cpu/memory columns from job list SELECT

* chore: trigger rebuild for build_3167

* 2606.18.0

---------

Co-authored-by: Yuan Huang <huangyuan01@sap.com>

Author: sap-yuan

cfg/VERSION

@@ -1 +1 @@
-2606.10.0
+2606.18.0

infrabox/test/api/mcp_test.py

@@ -8,7 +8,8 @@ class ApiTestTemplate(unittest.TestCase):
 
     def setUp(self):
         TestClient.execute(
-            'TRUNCATE global_token_access_log, global_token, '
+            'TRUNCATE mcp_access_log, mcp_token, '
+            'global_token_access_log, global_token, '
             'collaborator, auth_token, secret, '
             'console, job_markup, job_badge, job, '
             'build, commit, repository, '

infrabox/test/api/test_template.py

@@ -7,3 +7,4 @@
 import api.handlers.build
 import api.handlers.job_api
 import api.handlers.admin
+import api.handlers.mcp

src/api/handlers/__init__.py

@@ -0,0 +1,4 @@
+import api.handlers.mcp.token_routes
+import api.handlers.mcp.routes.projects
+import api.handlers.mcp.routes.builds
+import api.handlers.mcp.routes.jobs

src/api/handlers/mcp/__init__.py

@@ -0,0 +1,53 @@
+"""
+Audit logging for MCP API calls.
+
+Writes to the mcp_access_log table (best-effort, synchronous).
+Never raises — a logging failure must not break the request.
+"""
+import json
+import logging
+
+from flask import g, request
+
+logger = logging.getLogger('mcp_audit')
+
+
+def audit_mcp(action: str, outcome: str = 'attempt', details: dict = None, error: str = ''):
+    """Record one MCP audit entry synchronously on the request DB connection."""
+    token_id = getattr(g, 'mcp_token_id', None)
+    user_id = getattr(g, 'mcp_token_user_id', None)
+    if not user_id:
+        token = getattr(g, 'token', None)
+        if token and 'user' in token:
+            user_id = str(token['user'].get('id', ''))
+    ip = request.remote_addr
+
+    try:
+        db = getattr(g, 'db', None)
+        if db is None:
+            return
+
+        db.execute('''
+            INSERT INTO mcp_access_log (token_id, user_id, action, outcome, details, error, ip)
+            VALUES (%s, %s, %s, %s, %s, %s, %s)
+        ''', [
+            token_id,
+            user_id,
+            action,
+            outcome,
+            _to_json(details),
+            error or None,
+            ip,
+        ])
+        db.commit()
+    except Exception as exc:
+        logger.warning('MCP audit log failed: %s', exc)
+
+
+def _to_json(d):
+    if d is None:
+        return None
+    try:
+        return json.dumps(d)
+    except Exception:
+        return str(d)

src/api/handlers/mcp/audit.py

@@ -0,0 +1,152 @@
+"""
+MCP token authentication middleware for InfraBox.
+
+Token format: ib_mcp_<48 hex chars>
+Lookup key:   first 16 chars of the 48-char hex suffix
+Hash:         SHA-256 of the full raw token string (UTF-8)
+
+MCP tokens are ONLY accepted on /api/v1/mcp/* paths.
+All other paths fall back to the normal OPA-based auth.
+"""
+import hashlib
+import logging
+from datetime import datetime, timezone
+from functools import wraps
+
+from flask import g, request, abort
+
+logger = logging.getLogger('mcp_auth')
+
+_MCP_TOKEN_PREFIX = 'ib_mcp_'
+_MCP_PATH_PREFIX = '/api/v1/mcp/'
+
+
+def _utcnow():
+    return datetime.now(timezone.utc)
+
+
+def _utcnow_naive():
+    """Naive UTC datetime for comparing against psycopg2 TIMESTAMP values."""
+    return datetime.now(timezone.utc).replace(tzinfo=None)
+
+
+def _hash_token(raw_token: str) -> str:
+    return hashlib.sha256(raw_token.encode('utf-8')).hexdigest()
+
+
+def _reject(status, message):
+    abort(status, message)
+
+
+def mcp_auth_required(f):
+    """Decorator that validates ib_mcp_* Bearer tokens.
+
+    Sets on flask.g:
+      g.mcp_token_id          – token_id (16-char prefix)
+      g.mcp_token_user_id     – user uuid who owns the token
+      g.mcp_enabled_projects  – dict {project_id: expires_at_iso_or_None}
+      g.mcp_allow_trigger     – bool
+    """
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        auth = request.headers.get('Authorization', '')
+
+        if not auth.startswith('Bearer ' + _MCP_TOKEN_PREFIX):
+            # not an MCP token — fall through to OPA auth (already done in before_request)
+            return f(*args, **kwargs)
+
+        raw_token = auth[len('Bearer '):]
+
+        # MCP tokens are only valid on /api/v1/mcp/* paths
+        if not request.path.startswith(_MCP_PATH_PREFIX):
+            _reject(403, 'MCP token can only be used on /api/v1/mcp/* endpoints')
+
+        token_suffix = raw_token[len(_MCP_TOKEN_PREFIX):]
+        if len(token_suffix) != 48:
+            _reject(401, 'invalid MCP token format')
+
+        token_id = token_suffix[:16]
+        token_hash = _hash_token(raw_token)
+
+        row = g.db.execute_one_dict('''
+            SELECT token_id, user_id, enabled_projects, allow_trigger, expires_at, revoked_at
+            FROM mcp_token
+            WHERE token_id = %s AND token_hash = %s
+        ''', [token_id, token_hash])
+
+        if not row:
+            _reject(401, 'invalid or unknown MCP token')
+
+        if row['revoked_at'] is not None:
+            _reject(401, 'MCP token has been revoked')
+
+        if row['expires_at'] < _utcnow_naive():
+            _reject(401, 'MCP token has expired')
+
+        # Update last_used_at (best-effort, non-fatal)
+        try:
+            g.db.execute(
+                'UPDATE mcp_token SET last_used_at = NOW() WHERE token_id = %s',
+                [token_id]
+            )
+            g.db.commit()
+        except Exception as exc:
+            logger.warning('failed to update last_used_at: %s', exc)
+
+        g.mcp_token_id = token_id
+        g.mcp_token_user_id = str(row['user_id'])
+        g.mcp_enabled_projects = row['enabled_projects'] or {}
+        g.mcp_allow_trigger = bool(row['allow_trigger'])
+        # Suppress OPA check for MCP-authed requests
+        g.token = {'type': 'mcp', 'user': {'id': str(row['user_id']), 'role': 'user'}}
+
+        return f(*args, **kwargs)
+    return decorated
+
+
+def check_project_access_mcp(project_id: str) -> bool:
+    """Return True if the current request may access project_id.
+
+    MCP token path: project must be in g.mcp_enabled_projects and not past
+    its per-project expiry (if set).
+    Session path: delegates to OPA (already checked in before_request).
+    """
+    if not hasattr(g, 'mcp_enabled_projects'):
+        # session / OPA path — access already verified
+        return True
+
+    enabled = g.mcp_enabled_projects
+    if project_id not in enabled:
+        return False
+
+    per_project_expiry = enabled[project_id]
+    if per_project_expiry:
+        try:
+            exp = datetime.fromisoformat(per_project_expiry)
+            # fromisoformat() on a naive string (no UTC offset) returns a naive
+            # datetime; compare against naive UTC to avoid TypeError.
+            now = _utcnow_naive() if exp.tzinfo is None else _utcnow()
+            if exp < now:
+                return False
+        except (ValueError, TypeError):
+            # Malformed expiry — treat as expired rather than silently granting access.
+            return False
+
+    return True
+
+
+def check_trigger_access_mcp() -> bool:
+    """Return True if the current request may trigger builds."""
+    if not hasattr(g, 'mcp_allow_trigger'):
+        return True
+    return bool(g.mcp_allow_trigger)
+
+
+def get_mcp_user_id() -> str:
+    """Return user id string regardless of auth path."""
+    if hasattr(g, 'mcp_token_user_id'):
+        return g.mcp_token_user_id
+    token = getattr(g, 'token', None)
+    if token and 'user' in token:
+        return str(token['user'].get('id', ''))
+    return request.remote_addr or 'unknown'

src/api/handlers/mcp/auth.py

@@ -0,0 +1,101 @@
+"""
+Redis sliding-window rate limiter for MCP endpoints.
+
+Key:    ib_mcp_rl:{user_id}:{endpoint}
+Window: 60 seconds
+TTL:    70 seconds (slightly larger than window)
+
+Fail-open: if Redis is unavailable, the request is allowed and a warning is logged.
+"""
+import logging
+import os
+import uuid
+from functools import wraps
+
+from flask import g, jsonify, request
+
+logger = logging.getLogger('mcp_rate_limit')
+
+_WINDOW_MS = 60_000
+_KEY_TTL_S = 70
+
+_ENDPOINT_LIMITS = {
+    'get_job_log': int(os.environ.get('MCP_RATE_LIMIT_LOG_RPM', 10)),
+    'list_job_artifacts': int(os.environ.get('MCP_RATE_LIMIT_ARTIFACT_RPM', 10)),
+    'list_builds': int(os.environ.get('MCP_RATE_LIMIT_BUILDS_RPM', 30)),
+    'list_jobs': int(os.environ.get('MCP_RATE_LIMIT_JOBS_RPM', 30)),
+    'list_projects': int(os.environ.get('MCP_RATE_LIMIT_PROJECTS_RPM', 30)),
+    'trigger_build': int(os.environ.get('MCP_RATE_LIMIT_TRIGGER_RPM', 5)),
+}
+_DEFAULT_RPM = int(os.environ.get('MCP_RATE_LIMIT_DEFAULT_RPM', 30))
+
+_redis_client = None
+
+
+def _get_redis():
+    global _redis_client
+    if _redis_client is not None:
+        return _redis_client
+
+    redis_url = os.environ.get('REDIS_URL', '')
+    if not redis_url:
+        return None
+
+    try:
+        import redis
+        _redis_client = redis.from_url(redis_url, socket_connect_timeout=1, socket_timeout=1)
+        _redis_client.ping()
+    except Exception as exc:
+        logger.warning('MCP rate limiter: Redis unavailable (%s), fail-open', exc)
+        _redis_client = None
+
+    return _redis_client
+
+
+def _check_rate_limit(user_id: str, endpoint: str) -> bool:
+    """Return True (allow) or False (deny). Fail-open on Redis errors."""
+    rpm = _ENDPOINT_LIMITS.get(endpoint, _DEFAULT_RPM)
+
+    try:
+        r = _get_redis()
+        if r is None:
+            return True
+
+        import time
+        now_ms = int(time.time() * 1000)
+        key = f'ib_mcp_rl:{user_id}:{endpoint}'
+
+        pipe = r.pipeline()
+        pipe.zremrangebyscore(key, 0, now_ms - _WINDOW_MS)
+        pipe.zadd(key, {str(uuid.uuid4()): now_ms})
+        pipe.zcard(key)
+        pipe.expire(key, _KEY_TTL_S)
+        results = pipe.execute()
+
+        count = results[2]
+        return count <= rpm
+
+    except Exception as exc:
+        global _redis_client
+        _redis_client = None  # force reconnect attempt on next request
+        logger.warning('MCP rate limiter Redis error (fail-open): %s', exc)
+        return True
+
+
+def mcp_rate_limit(endpoint: str):
+    """Decorator factory: apply rate limiting for the given endpoint name."""
+    def decorator(f):
+        @wraps(f)
+        def decorated(*args, **kwargs):
+            from api.handlers.mcp.auth import get_mcp_user_id
+            user_id = get_mcp_user_id()
+
+            if not _check_rate_limit(user_id, endpoint):
+                return jsonify({
+                    'message': 'rate limit exceeded, please slow down',
+                    'status': 429,
+                }), 429
+
+            return f(*args, **kwargs)
+        return decorated
+    return decorator