|
6 | 6 | "fmt" |
7 | 7 | "io" |
8 | 8 | "net/http" |
| 9 | + "os" |
9 | 10 | "strings" |
10 | 11 | "time" |
11 | 12 |
|
|
23 | 24 | secScanAsync bool |
24 | 25 | secScanDryRun bool |
25 | 26 | secScanners string |
| 27 | + secScanAll bool |
26 | 28 |
|
27 | 29 | // security approve flags |
28 | 30 | secApproveForce bool |
@@ -62,6 +64,7 @@ Examples: |
62 | 64 | securityCmd.AddCommand(newSecurityRescanCmd()) |
63 | 65 | securityCmd.AddCommand(newSecurityOverviewCmd()) |
64 | 66 | securityCmd.AddCommand(newSecurityIntegrityCmd()) |
| 67 | + securityCmd.AddCommand(newSecurityCancelAllCmd()) |
65 | 68 |
|
66 | 69 | return securityCmd |
67 | 70 | } |
@@ -155,22 +158,26 @@ Examples: |
155 | 158 |
|
156 | 159 | func newSecurityScanCmd() *cobra.Command { |
157 | 160 | cmd := &cobra.Command{ |
158 | | - Use: "scan <server>", |
| 161 | + Use: "scan [server]", |
159 | 162 | Short: "Scan a server with security scanners", |
160 | 163 | Long: `Start a security scan on an upstream MCP server. |
161 | 164 |
|
162 | 165 | By default, blocks until the scan completes and shows a summary. |
163 | 166 | Use --async to start the scan and return immediately. |
| 167 | +Use --all to scan all servers at once with a progress table. |
164 | 168 |
|
165 | 169 | Examples: |
166 | 170 | mcpproxy security scan github-server |
167 | 171 | mcpproxy security scan github-server --async |
168 | 172 | mcpproxy security scan github-server --dry-run |
169 | | - mcpproxy security scan github-server --scanners mcp-scan,cisco-mcp-scanner`, |
170 | | - Args: cobra.ExactArgs(1), |
| 173 | + mcpproxy security scan github-server --scanners mcp-scan,cisco-mcp-scanner |
| 174 | + mcpproxy security scan --all |
| 175 | + mcpproxy security scan --all --scanners mcp-scan`, |
| 176 | + Args: cobra.MaximumNArgs(1), |
171 | 177 | RunE: runSecurityScan, |
172 | 178 | } |
173 | 179 |
|
| 180 | + cmd.Flags().BoolVar(&secScanAll, "all", false, "Scan all servers (shows progress table)") |
174 | 181 | cmd.Flags().BoolVar(&secScanAsync, "async", false, "Start scan and return immediately without waiting") |
175 | 182 | cmd.Flags().BoolVar(&secScanDryRun, "dry-run", false, "Simulate scan without executing") |
176 | 183 | cmd.Flags().StringVar(&secScanners, "scanners", "", "Comma-separated scanner IDs to use (default: all installed)") |
@@ -495,6 +502,16 @@ func runSecurityConfigure(_ *cobra.Command, args []string) error { |
495 | 502 | } |
496 | 503 |
|
497 | 504 | func runSecurityScan(_ *cobra.Command, args []string) error { |
| 505 | + // Handle --all flag |
| 506 | + if secScanAll { |
| 507 | + return runSecurityScanAll() |
| 508 | + } |
| 509 | + |
| 510 | + // Single server mode requires exactly one argument |
| 511 | + if len(args) < 1 { |
| 512 | + return fmt.Errorf("server name is required (or use --all to scan all servers)") |
| 513 | + } |
| 514 | + |
498 | 515 | client, _, err := newSecurityCLIClient() |
499 | 516 | if err != nil { |
500 | 517 | return err |
@@ -529,6 +546,17 @@ func runSecurityScan(_ *cobra.Command, args []string) error { |
529 | 546 | return fmt.Errorf("failed to read response: %w", err) |
530 | 547 | } |
531 | 548 |
|
| 549 | + // Check for disabled server (500 with specific message) |
| 550 | + if resp.StatusCode == http.StatusInternalServerError { |
| 551 | + errMsg := extractAPIErrorMsg(respBody) |
| 552 | + if strings.Contains(strings.ToLower(errMsg), "disabled") || strings.Contains(strings.ToLower(errMsg), "not enabled") { |
| 553 | + fmt.Fprintf(os.Stderr, "Error: Server %q is disabled. Enable it first or quarantine and scan:\n", serverName) |
| 554 | + fmt.Fprintf(os.Stderr, " mcpproxy upstream enable %s\n", serverName) |
| 555 | + fmt.Fprintf(os.Stderr, " mcpproxy security scan %s\n", serverName) |
| 556 | + return fmt.Errorf("server %q is disabled", serverName) |
| 557 | + } |
| 558 | + } |
| 559 | + |
532 | 560 | if resp.StatusCode != http.StatusAccepted && resp.StatusCode != http.StatusOK { |
533 | 561 | return parseAPIError(respBody, resp.StatusCode, "start scan") |
534 | 562 | } |
@@ -621,6 +649,224 @@ func runSecurityScan(_ *cobra.Command, args []string) error { |
621 | 649 | } |
622 | 650 | } |
623 | 651 |
|
| 652 | +// runSecurityScanAll handles the --all flag: starts a batch scan and polls for progress. |
| 653 | +func runSecurityScanAll() error { |
| 654 | + client, _, err := newSecurityCLIClient() |
| 655 | + if err != nil { |
| 656 | + return err |
| 657 | + } |
| 658 | + |
| 659 | + // Build request body |
| 660 | + reqBody := map[string]interface{}{} |
| 661 | + if secScanners != "" { |
| 662 | + reqBody["scanner_ids"] = splitAndTrim(secScanners) |
| 663 | + } |
| 664 | + |
| 665 | + body, err := json.Marshal(reqBody) |
| 666 | + if err != nil { |
| 667 | + return fmt.Errorf("failed to marshal request: %w", err) |
| 668 | + } |
| 669 | + |
| 670 | + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Minute) |
| 671 | + defer cancel() |
| 672 | + |
| 673 | + resp, err := client.DoRaw(ctx, http.MethodPost, "/api/v1/security/scan-all", body) |
| 674 | + if err != nil { |
| 675 | + return fmt.Errorf("failed to start batch scan: %w", err) |
| 676 | + } |
| 677 | + defer resp.Body.Close() |
| 678 | + |
| 679 | + respBody, err := io.ReadAll(resp.Body) |
| 680 | + if err != nil { |
| 681 | + return fmt.Errorf("failed to read response: %w", err) |
| 682 | + } |
| 683 | + |
| 684 | + if resp.StatusCode != http.StatusAccepted && resp.StatusCode != http.StatusOK { |
| 685 | + return parseAPIError(respBody, resp.StatusCode, "start batch scan") |
| 686 | + } |
| 687 | + |
| 688 | + format := ResolveOutputFormat() |
| 689 | + |
| 690 | + // If --async, return immediately |
| 691 | + if secScanAsync { |
| 692 | + if format == "json" || format == "yaml" { |
| 693 | + return formatAndPrintRaw(format, respBody) |
| 694 | + } |
| 695 | + fmt.Println("Batch scan started. Use 'mcpproxy security scan --all' to check progress.") |
| 696 | + return nil |
| 697 | + } |
| 698 | + |
| 699 | + // Poll for progress |
| 700 | + for { |
| 701 | + time.Sleep(3 * time.Second) |
| 702 | + |
| 703 | + qResp, err := client.DoRaw(ctx, http.MethodGet, "/api/v1/security/queue", nil) |
| 704 | + if err != nil { |
| 705 | + return fmt.Errorf("failed to check queue progress: %w", err) |
| 706 | + } |
| 707 | + |
| 708 | + qBody, err := io.ReadAll(qResp.Body) |
| 709 | + qResp.Body.Close() |
| 710 | + if err != nil { |
| 711 | + return fmt.Errorf("failed to read queue response: %w", err) |
| 712 | + } |
| 713 | + |
| 714 | + if qResp.StatusCode != http.StatusOK { |
| 715 | + return parseAPIError(qBody, qResp.StatusCode, "check queue progress") |
| 716 | + } |
| 717 | + |
| 718 | + var progress map[string]interface{} |
| 719 | + qBody, err = unwrapAPIResponse(qBody) |
| 720 | + if err != nil { |
| 721 | + return fmt.Errorf("API error: %w", err) |
| 722 | + } |
| 723 | + if err := json.Unmarshal(qBody, &progress); err != nil { |
| 724 | + return fmt.Errorf("failed to parse progress: %w", err) |
| 725 | + } |
| 726 | + |
| 727 | + // Check if idle (no batch in progress) |
| 728 | + queueStatus := getMapString(progress, "status") |
| 729 | + if queueStatus == "idle" { |
| 730 | + fmt.Println("No batch scan in progress.") |
| 731 | + return nil |
| 732 | + } |
| 733 | + |
| 734 | + // JSON/YAML output for final state |
| 735 | + if queueStatus == "completed" || queueStatus == "cancelled" { |
| 736 | + if format == "json" || format == "yaml" { |
| 737 | + return formatAndPrint(format, progress) |
| 738 | + } |
| 739 | + printQueueProgressTable(progress) |
| 740 | + fmt.Println() |
| 741 | + if queueStatus == "completed" { |
| 742 | + fmt.Println("Batch scan completed.") |
| 743 | + } else { |
| 744 | + fmt.Println("Batch scan was cancelled.") |
| 745 | + } |
| 746 | + return nil |
| 747 | + } |
| 748 | + |
| 749 | + // Show progress table (clear screen with carriage returns for terminal) |
| 750 | + printQueueProgressTable(progress) |
| 751 | + } |
| 752 | +} |
| 753 | + |
| 754 | +// printQueueProgressTable prints the progress table for a batch scan. |
| 755 | +func printQueueProgressTable(progress map[string]interface{}) { |
| 756 | + total := int(getMapFloat(progress, "total")) |
| 757 | + completed := int(getMapFloat(progress, "completed")) |
| 758 | + running := int(getMapFloat(progress, "running")) |
| 759 | + skipped := int(getMapFloat(progress, "skipped")) |
| 760 | + failed := int(getMapFloat(progress, "failed")) |
| 761 | + |
| 762 | + fmt.Printf("\nScanning all servers (%d/%d completed, %d running", completed, total, running) |
| 763 | + if skipped > 0 { |
| 764 | + fmt.Printf(", %d skipped", skipped) |
| 765 | + } |
| 766 | + if failed > 0 { |
| 767 | + fmt.Printf(", %d failed", failed) |
| 768 | + } |
| 769 | + fmt.Println(")...") |
| 770 | + |
| 771 | + // Table header |
| 772 | + fmt.Printf("%-24s %-12s %-10s %s\n", "SERVER", "STATUS", "FINDINGS", "ERROR") |
| 773 | + fmt.Println(strings.Repeat("-", 70)) |
| 774 | + |
| 775 | + // Items |
| 776 | + if items, ok := progress["items"].([]interface{}); ok { |
| 777 | + for _, item := range items { |
| 778 | + if it, ok := item.(map[string]interface{}); ok { |
| 779 | + name := getMapString(it, "server_name") |
| 780 | + status := getMapString(it, "status") |
| 781 | + errMsg := getMapString(it, "error") |
| 782 | + skipReason := getMapString(it, "skip_reason") |
| 783 | + findings := "-" |
| 784 | + |
| 785 | + // Show error or skip reason |
| 786 | + msg := errMsg |
| 787 | + if skipReason != "" { |
| 788 | + msg = skipReason |
| 789 | + } |
| 790 | + if len(msg) > 30 { |
| 791 | + msg = msg[:27] + "..." |
| 792 | + } |
| 793 | + |
| 794 | + fmt.Printf("%-24s %-12s %-10s %s\n", |
| 795 | + secTruncate(name, 24), |
| 796 | + status, |
| 797 | + findings, |
| 798 | + msg, |
| 799 | + ) |
| 800 | + } |
| 801 | + } |
| 802 | + } |
| 803 | +} |
| 804 | + |
| 805 | +func newSecurityCancelAllCmd() *cobra.Command { |
| 806 | + return &cobra.Command{ |
| 807 | + Use: "cancel-all", |
| 808 | + Short: "Cancel a running batch scan", |
| 809 | + Long: `Cancel the current batch security scan in progress. |
| 810 | +Any pending server scans will be skipped. Running scans may complete. |
| 811 | +
|
| 812 | +Examples: |
| 813 | + mcpproxy security cancel-all`, |
| 814 | + RunE: runSecurityCancelAll, |
| 815 | + } |
| 816 | +} |
| 817 | + |
| 818 | +func runSecurityCancelAll(_ *cobra.Command, _ []string) error { |
| 819 | + client, _, err := newSecurityCLIClient() |
| 820 | + if err != nil { |
| 821 | + return err |
| 822 | + } |
| 823 | + |
| 824 | + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) |
| 825 | + defer cancel() |
| 826 | + |
| 827 | + resp, err := client.DoRaw(ctx, http.MethodPost, "/api/v1/security/cancel-all", nil) |
| 828 | + if err != nil { |
| 829 | + return fmt.Errorf("failed to cancel batch scan: %w", err) |
| 830 | + } |
| 831 | + defer resp.Body.Close() |
| 832 | + |
| 833 | + respBody, err := io.ReadAll(resp.Body) |
| 834 | + if err != nil { |
| 835 | + return fmt.Errorf("failed to read response: %w", err) |
| 836 | + } |
| 837 | + |
| 838 | + if resp.StatusCode != http.StatusOK { |
| 839 | + return parseAPIError(respBody, resp.StatusCode, "cancel batch scan") |
| 840 | + } |
| 841 | + |
| 842 | + format := ResolveOutputFormat() |
| 843 | + if format == "json" || format == "yaml" { |
| 844 | + return formatAndPrintRaw(format, respBody) |
| 845 | + } |
| 846 | + |
| 847 | + fmt.Println("Batch scan cancelled.") |
| 848 | + return nil |
| 849 | +} |
| 850 | + |
| 851 | +// extractAPIErrorMsg extracts the error message from an API error response body. |
| 852 | +func extractAPIErrorMsg(body []byte) string { |
| 853 | + var errResp map[string]interface{} |
| 854 | + if err := json.Unmarshal(body, &errResp); err == nil { |
| 855 | + if msg, ok := errResp["error"].(string); ok { |
| 856 | + return msg |
| 857 | + } |
| 858 | + } |
| 859 | + return string(body) |
| 860 | +} |
| 861 | + |
| 862 | +// getMapFloat returns a float64 value from a map, defaulting to 0. |
| 863 | +func getMapFloat(m map[string]interface{}, key string) float64 { |
| 864 | + if v, ok := m[key].(float64); ok { |
| 865 | + return v |
| 866 | + } |
| 867 | + return 0 |
| 868 | +} |
| 869 | + |
624 | 870 | func runSecurityStatus(_ *cobra.Command, args []string) error { |
625 | 871 | client, _, err := newSecurityCLIClient() |
626 | 872 | if err != nil { |
|
0 commit comments