§
    !¾<iJ  ã                   ó   — d Z ddlZddlmZmZ ddlmZ ddlmZ  ej	        e
¦  «        Z G d„ de¦  «        Z G d„ d	¦  «        ZdS )
z3DNS rebinding protection for MCP server transports.é    N)Ú	BaseModelÚField)ÚRequest)ÚResponsec                   ó˜   — e Zd ZU dZ edd¬¦  «        Zeed<    eg d¬¦  «        Ze	e
         ed<    eg d¬¦  «        Ze	e
         ed	<   d
S )ÚTransportSecuritySettingszSettings for MCP transport security features.

    These settings help protect against DNS rebinding attacks by validating
    incoming request headers.
    Tz<Enable DNS rebinding protection (recommended for production))ÚdefaultÚdescriptionÚenable_dns_rebinding_protectionz^List of allowed Host header values. Only applies when enable_dns_rebinding_protection is True.Úallowed_hostsz`List of allowed Origin header values. Only applies when enable_dns_rebinding_protection is True.Úallowed_originsN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__r   r   ÚboolÚ__annotations__r   ÚlistÚstrr   © ó    ú˜/Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/.venv/lib/python3.11/site-packages/mcp/server/transport_security.pyr   r      sº   € € € € € € ðð ð -2¨EØØRð-ñ -ô -Ð# Tð ð ñ ð
  %˜uØð5ð ñ  ô  €M4˜”9ð ð ñ ð "' Øð5ð"ñ "ô "€OT˜#”Yð ð ñ ð ð r   r   c                   ó„   — e Zd ZdZddedz  fd„Zdedz  defd„Zdedz  defd	„Z	d
edz  defd„Z
ddedededz  fd„ZdS )ÚTransportSecurityMiddlewarezKMiddleware to enforce DNS rebinding protection for MCP transport endpoints.NÚsettingsc                 ó4   — |pt          d¬¦  «        | _        d S )NF)r   )r   r   )Úselfr   s     r   Ú__init__z$TransportSecurityMiddleware.__init__(   s!   € ð !ÐdÕ$=Ð^cÐ$dÑ$dÔ$dˆŒˆˆr   ÚhostÚreturnc                 ó.  — |st                                d¦  «         dS || j        j        v rdS | j        j        D ]<}|                     d¦  «        r%|dd…         }|                     |dz   ¦  «        r dS Œ=t                                d|› ¦  «         dS )	z0Validate the Host header against allowed values.zMissing Host header in requestFTú:*Néþÿÿÿú:zInvalid Host header: )ÚloggerÚwarningr   r   ÚendswithÚ
startswith)r   r   ÚallowedÚ	base_hosts       r   Ú_validate_hostz*TransportSecurityMiddleware._validate_host-   s²   € àð 	ÝNŠNÐ;Ñ<Ô<Ð<Ø5ð 4”=Ô.Ð.Ð.Ø4ð ”}Ô2ð 	 ð 	 ˆGØ×Ò Ñ%Ô%ð  à# C R CœL	à—?’? 9¨s¡?Ñ3Ô3ð  Ø˜4˜4øåŠÐ5¨tÐ5Ð5Ñ6Ô6Ð6Øˆur   Úoriginc                 óú   — |sdS || j         j        v rdS | j         j        D ]<}|                     d¦  «        r%|dd…         }|                     |dz   ¦  «        r dS Œ=t                               d|› ¦  «         dS )z2Validate the Origin header against allowed values.Tr"   Nr#   r$   zInvalid Origin header: F)r   r   r'   r(   r%   r&   )r   r,   r)   Úbase_origins       r   Ú_validate_originz,TransportSecurityMiddleware._validate_originC   s¤   € ð ð 	Ø4ð T”]Ô2Ð2Ð2Ø4ð ”}Ô4ð 	 ð 	 ˆGØ×Ò Ñ%Ô%ð  à% c r cœlà×$Ò$ [°3Ñ%6Ñ7Ô7ð  Ø˜4˜4øåŠÐ9°Ð9Ð9Ñ:Ô:Ð:Øˆur   Úcontent_typec                 óÎ   — |st                                d¦  «         dS |                     ¦   «                              d¦  «        st                                d|› ¦  «         dS dS )z3Validate the Content-Type header for POST requests.z+Missing Content-Type header in POST requestFzapplication/jsonzInvalid Content-Type header: T)r%   r&   Úlowerr(   )r   r0   s     r   Ú_validate_content_typez2TransportSecurityMiddleware._validate_content_typeY   sl   € àð 	ÝNŠNÐHÑIÔIÐIØ5ð ×!Ò!Ñ#Ô#×.Ò.Ð/AÑBÔBð 	ÝNŠNÐI¸<ÐIÐIÑJÔJÐJØ5àˆtr   FÚrequestÚis_postc              ƒ   óª  K  — |r@|j                              d¦  «        }|                      |¦  «        st          dd¬¦  «        S | j        j        sdS |j                              d¦  «        }|                      |¦  «        st          dd¬¦  «        S |j                              d	¦  «        }|                      |¦  «        st          d
d¬¦  «        S dS )z•Validate request headers for DNS rebinding protection.

        Returns None if validation passes, or an error Response if validation fails.
        zcontent-typezInvalid Content-Type headeri  )Ústatus_codeNr   zInvalid Host headeri¥  r,   zInvalid Origin headeri“  )ÚheadersÚgetr3   r   r   r   r+   r/   )r   r4   r5   r0   r   r,   s         r   Úvalidate_requestz,TransportSecurityMiddleware.validate_requestf   sî   è è € ð ð 	PØ"œ?×.Ò.¨~Ñ>Ô>ˆLØ×.Ò.¨|Ñ<Ô<ð PÝÐ =È3ÐOÑOÔOÐOð Œ}Ô<ð 	Ø4ð Œ×"Ò" 6Ñ*Ô*ˆØ×"Ò" 4Ñ(Ô(ð 	DÝÐ1¸sÐCÑCÔCÐCð ”×$Ò$ XÑ.Ô.ˆØ×$Ò$ VÑ,Ô,ð 	FÝÐ3ÀÐEÑEÔEÐEàˆtr   )N)F)r   r   r   r   r   r   r   r   r+   r/   r3   r   r   r:   r   r   r   r   r   %   sí   € € € € € ØUÐUðeð eÐ!:¸TÑ!Að eð eð eð eð
 3¨¡:ð °$ð ð ð ð ð, s¨T¡zð °dð ð ð ð ð,°3¸±:ð À$ð ð ð ð ðð ¨gð Àð ÐQYÐ\`ÑQ`ð ð ð ð ð ð r   r   )r   ÚloggingÚpydanticr   r   Ústarlette.requestsr   Ústarlette.responsesr   Ú	getLoggerr   r%   r   r   r   r   r   ú<module>r@      sÈ   ðØ 9Ð 9à €€€à %Ð %Ð %Ð %Ð %Ð %Ð %Ð %Ø &Ð &Ð &Ð &Ð &Ð &Ø (Ð (Ð (Ð (Ð (Ð (à	ˆÔ	˜8Ñ	$Ô	$€ðð ð ð ð  	ñ ô ð ð2Zð Zð Zð Zð Zñ Zô Zð Zð Zð Zr   