MCP server (#7)

feat(MCP-server)

This commit establishes the initial MCP server implementation
and registers the five tools for Keylime.

- Get_all_agents
- Get_agent_status
- Get_failed_agents
- Reactivate_agent
- Get_agent_policies

---------

Signed-off-by: Marek Safarik <[email protected]>
Co-authored-by: Marek Safarik <[email protected]>

Author: msafarik

.env.example

@@ -0,0 +1,19 @@
+# Keylime MCP Server Configuration
+
+# Keylime API endpoints
+KEYLIME_VERIFIER_URL=https://localhost:8881
+KEYLIME_REGISTRAR_URL=https://localhost:8891
+KEYLIME_API_VERSION=v2.4
+
+# TLS Configuration
+KEYLIME_TLS_ENABLED=true
+KEYLIME_IGNORE_HOSTNAME=true
+
+# Certificate paths
+# For local development with copied certificates:
+KEYLIME_CERT_DIR=/home/YOUR_USERNAME/.keylime/certs
+# Or for sudo access to system certificates:
+# KEYLIME_CERT_DIR=/var/lib/keylime/cv_ca
+
+# Server configuration
+PORT=8080

.gitignore

@@ -6,8 +6,7 @@ dist/
 *.out
 
 # Go
-*.exe
-*.test
+backend/server
 
 # Environment
 .env

Makefile

@@ -14,8 +14,15 @@ help:
 	@echo "  make logs   - View logs"
 	@echo "  make ps     - List containers"
 	@echo "  make clean  - Remove all"
+	@echo "  make mcp    - Build MCP server"
 
-build:
+.env:
+	@if [ ! -f .env ]; then \
+		cp .env.example .env; \
+		echo "Created .env from .env.example"; \
+	fi
+
+build: .env
 	podman-compose -f compose.yml build
 
 up:
@@ -34,3 +41,6 @@ ps:
 clean:
 	podman-compose -f compose.yml down -v
 	podman system prune -f
+
+mcp:
+	cd backend && go build -o server *.go

README.md

@@ -11,7 +11,37 @@ This MCP server is a helper tool for working with Keylime. To actually interact
 - Network access to the Keylime API endpoints
 - [Podman](https://podman.io/getting-started/installation) must be installed on your system.
 
-## Quick Start
+## Usage
+
+There are two ways to use this MCP server:
+
+### Option 1: With MCP Client (Claude Desktop, Cline, etc.)
+
+Build the server:
+```bash
+cd backend
+go build -o server *.go
+```
+
+You can move the binary anywhere you want (e.g., `/usr/local/bin/server).
+
+Add to your MCP client config (e.g., `~/.config/Claude/claude_desktop_config.json`):
+```json
+{
+  "mcpServers": {
+    "keylime": {
+      "command": "/full/path/to/keylime-mcp/backend/server",
+      "args": []
+    }
+  }
+}
+```
+
+**Replace `/full/path/to/keylime-mcp` with your actual path!**
+
+Restart your MCP client. Done.
+
+### Option 2: Web UI (Docker)
 
 ```bash
 make build
@@ -25,7 +55,7 @@ Run locally without containers:
 
 ```bash
 # Backend
-cd backend && go run main.go
+cd backend && go run *.go
 
 # Frontend
 cd frontend && pnpm dev

backend/Containerfile

@@ -1,9 +1,9 @@
 FROM golang:1.23-alpine AS builder
 WORKDIR /app
-COPY go.mod ./
+COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
-RUN go build -o server .
+RUN go build -o server *.go
 
 FROM alpine:latest
 WORKDIR /app

backend/client.go

@@ -0,0 +1,128 @@
+package main
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+)
+
+// newKeylimeClient creates HTTP client for Keylime API with mTLS support
+func newKeylimeClient(baseURL string) *KeylimeClient {
+	// Remove "http(s)://" prefix if present
+	baseURL = strings.TrimPrefix(baseURL, "https://")
+	baseURL = strings.TrimPrefix(baseURL, "http://")
+
+	var finalURL string
+	var httpClient *http.Client
+
+	if config.TLSEnabled {
+		finalURL = "https://" + strings.TrimSuffix(baseURL, "/")
+		tlsConfig := createTLSConfig()
+		httpClient = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		}
+	} else {
+		finalURL = "http://" + strings.TrimSuffix(baseURL, "/")
+		httpClient = &http.Client{}
+	}
+
+	return &KeylimeClient{
+		baseURL:    finalURL,
+		apiVersion: config.APIVersion,
+		httpClient: httpClient,
+	}
+}
+
+// createTLSConfig creates TLS configuration with mTLS support
+// Equivalent to Python's HostNameIgnoreAdapter with SSL context
+func createTLSConfig() *tls.Config {
+	// Load client certificate and key
+	cert, err := tls.LoadX509KeyPair(config.ClientCert, config.ClientKey)
+	if err != nil {
+		log.Printf("Warning: Failed to load client certificate: %v", err)
+		log.Printf("Attempting to connect without client cert (may fail with mTLS servers)")
+		// Return basic TLS config without client cert
+		return &tls.Config{
+			InsecureSkipVerify: true,
+		}
+	}
+
+	// Load CA certificate
+	caCertPEM, err := os.ReadFile(config.CAPath)
+	if err != nil {
+		log.Printf("Warning: Failed to load CA certificate: %v", err)
+		log.Printf("Using system CA pool")
+	}
+
+	// Create CA pool
+	caCertPool := x509.NewCertPool()
+	if caCertPEM != nil {
+		if !caCertPool.AppendCertsFromPEM(caCertPEM) {
+			log.Printf("Warning: Failed to append CA certificate to pool")
+		}
+	}
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+		// Ignore hostname verification (like Python's HostNameIgnoreAdapter)
+		// This is needed because Keylime certs often don't have correct hostname
+		InsecureSkipVerify: config.IgnoreHostname,
+	}
+
+	return tlsConfig
+}
+
+func (kc *KeylimeClient) Get(endpoint string) (*http.Response, error) {
+	url := fmt.Sprintf("%s/%s/%s", kc.baseURL, kc.apiVersion, strings.TrimPrefix(endpoint, "/"))
+	return kc.httpClient.Get(url)
+}
+
+func (kc *KeylimeClient) Post(endpoint string, body interface{}) (*http.Response, error) {
+	url := fmt.Sprintf("%s/%s/%s", kc.baseURL, kc.apiVersion, strings.TrimPrefix(endpoint, "/"))
+	var buf bytes.Buffer
+	if body != nil {
+		if err := json.NewEncoder(&buf).Encode(body); err != nil {
+			return nil, fmt.Errorf("failed to marshal body: %w", err)
+		}
+	}
+	req, err := http.NewRequest("POST", url, &buf)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	return kc.httpClient.Do(req)
+}
+
+func (kc *KeylimeClient) Put(endpoint string, body interface{}) (*http.Response, error) {
+	url := fmt.Sprintf("%s/%s/%s", kc.baseURL, kc.apiVersion, strings.TrimPrefix(endpoint, "/"))
+	var buf bytes.Buffer
+	if body != nil {
+		if err := json.NewEncoder(&buf).Encode(body); err != nil {
+			return nil, fmt.Errorf("failed to marshal body: %w", err)
+		}
+	}
+	req, err := http.NewRequest("PUT", url, &buf)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	return kc.httpClient.Do(req)
+}
+
+func (kc *KeylimeClient) Delete(endpoint string) (*http.Response, error) {
+	url := fmt.Sprintf("%s/%s/%s", kc.baseURL, kc.apiVersion, strings.TrimPrefix(endpoint, "/"))
+	req, err := http.NewRequest("DELETE", url, nil)
+	if err != nil {
+		return nil, err
+	}
+	return kc.httpClient.Do(req)
+}

backend/go.mod

@@ -1,4 +1,16 @@
 module github.com/keylime/keylime-mcp/backend
 
-go 1.23
+go 1.23.0
 
+toolchain go1.24.8
+
+require (
+	github.com/joho/godotenv v1.5.1
+	github.com/modelcontextprotocol/go-sdk v1.1.0
+)
+
+require (
+	github.com/google/jsonschema-go v0.3.0 // indirect
+	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+)

backend/go.sum

@@ -0,0 +1,14 @@
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/jsonschema-go v0.3.0 h1:6AH2TxVNtk3IlvkkhjrtbUc4S8AvO0Xii0DxIygDg+Q=
+github.com/google/jsonschema-go v0.3.0/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/modelcontextprotocol/go-sdk v1.1.0 h1:Qjayg53dnKC4UZ+792W21e4BpwEZBzwgRW6LrjLWSwA=
+github.com/modelcontextprotocol/go-sdk v1.1.0/go.mod h1:6fM3LCm3yV7pAs8isnKLn07oKtB0MP9LHd3DfAcKw10=
+github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
+github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=

backend/handlers.go

@@ -0,0 +1,42 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+)
+
+func healthHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Content-Type", "application/json")
+
+	response := HealthResponse{
+		Status:  "healthy",
+		Service: "keylime-mcp-backend",
+	}
+
+	json.NewEncoder(w).Encode(response)
+}
+
+func getAllAgentsHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Content-Type", "application/json")
+
+	resp, err := keylimeRegistrarClient.Get("agents")
+	if err != nil {
+		log.Printf("Error fetching agents: %v", err)
+		http.Error(w, "Failed to fetch agents: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+	defer resp.Body.Close()
+
+	var agents interface{}
+	err = json.NewDecoder(resp.Body).Decode(&agents)
+	if err != nil {
+		log.Printf("Error decoding agents: %v", err)
+		http.Error(w, "Failed to decode agents response"+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	json.NewEncoder(w).Encode(agents)
+}