Class SecurityRunner

java.lang.Object
neqsim.mcp.runners.SecurityRunner
public final class SecurityRunner extends Object
Security and multi-tenancy layer for the NeqSim MCP server.

Provides:

  • API key-based authentication for production deployments
  • Per-user session isolation to prevent cross-contamination
  • Comprehensive audit logging of all simulation and data access operations
  • Rate limiting to protect compute resources from abuse
  • User/project context for multi-tenant usage

This is an application-level security layer. In production, combine with transport-level security (TLS, OAuth2) provided by the deployment platform.

Version:
1.0
Author:
Even Solbraa

  • Field Details

    • GSON

      private static final com.google.gson.Gson GSON

    • API_KEYS

      private static final ConcurrentHashMap<String, SecurityRunner.UserContext> API_KEYS
      Registered API keys (in production, these would come from a database or vault).

    • AUDIT_LOG

      private static final List<SecurityRunner.AuditEntry> AUDIT_LOG
      Audit log (in production, this would write to a persistent store).

    • RATE_LIMITS

      private static final ConcurrentHashMap<String, SecurityRunner.RateState> RATE_LIMITS
      Rate limiting: requests per key in the current time window.

    • DEFAULT_RATE_LIMIT

      private static final int DEFAULT_RATE_LIMIT
      Default rate limit: requests per minute.
      See Also:

    • RATE_WINDOW_MS

      private static final long RATE_WINDOW_MS
      Rate window in milliseconds.
      See Also:

    • MAX_AUDIT_LOG_SIZE

      private static final int MAX_AUDIT_LOG_SIZE
      Max audit log entries kept in memory.
      See Also:

    • enabled

      private static volatile boolean enabled
      Whether security enforcement is enabled.

    • REQUEST_COUNTER

      private static final AtomicLong REQUEST_COUNTER
      Global request counter.

  • Constructor Details

    • SecurityRunner

      private SecurityRunner()
      Private constructor — all methods are static.

  • Method Details

    • run

      public static String run(String json)
      Main entry point for security operations.
      Parameters:
      json - JSON with action and parameters
      Returns:
      JSON with results

    • checkAccess

      public static String checkAccess(String apiKey, String tool)
      Checks authentication and rate limiting for an incoming request. Call this at the beginning of any protected tool invocation.
      Parameters:
      apiKey - the API key (optional if security is disabled)
      tool - the tool being invoked
      Returns:
      null if allowed, or an error JSON string if denied

    • createApiKey

      private static String createApiKey(com.google.gson.JsonObject input)
      Creates a new API key for a user/project.
      Parameters:
      input - JSON with user details
      Returns:
      JSON with the new API key

    • revokeApiKey

      private static String revokeApiKey(com.google.gson.JsonObject input)
      Revokes an API key.
      Parameters:
      input - JSON with apiKey
      Returns:
      JSON confirmation

    • authenticate

      private static String authenticate(com.google.gson.JsonObject input)
      Authenticates with an API key and returns user context.
      Parameters:
      input - JSON with apiKey
      Returns:
      JSON with authentication result

    • getAuditLog

      private static String getAuditLog(com.google.gson.JsonObject input)
      Returns recent audit log entries.
      Parameters:
      input - JSON with optional filters (userId, tool, limit)
      Returns:
      JSON with audit entries

    • getRateLimits

      private static String getRateLimits()
      Returns current rate limit status for all authenticated users.
      Returns:
      JSON with rate limit details

    • setConfig

      private static String setConfig(com.google.gson.JsonObject input)
      Configures security settings.
      Parameters:
      input - JSON with configuration
      Returns:
      JSON confirmation

    • getStatus

      private static String getStatus()
      Returns current security status.
      Returns:
      JSON with security status

    • checkRateLimit

      private static boolean checkRateLimit(String key, int limit)
      Checks rate limiting for a key.
      Parameters:
      key - the API key
      limit - the max requests per window
      Returns:
      true if within limits

    • logAudit

      private static void logAudit(String userId, String tool, String result, String details)
      Logs an audit entry.
      Parameters:
      userId - the user ID
      tool - the tool invoked
      result - the result (allowed, denied, rate_limited)
      details - additional details

    • errorJson

      private static String errorJson(String code, String message, String remediation)
      Creates a standard error JSON response.
      Parameters:
      code - the error code
      message - the error message
      remediation - the fix
      Returns:
      the JSON string