Merge pull request #13 from CheckPointSW/session_and_logs

Session and logs

Author: chkp-yoavg

README.md

@@ -10,9 +10,9 @@ The Model Context Protocol (MCP) is a standardized interface that allows AI agen
 
 ## Demo
 
-<!-- Place a link or embed for a demo video here -->
+[![Watch the demo](https://img.youtube.com/vi/QKBcD_99W3s/0.jpg)](https://www.youtube.com/watch?v=QKBcD_99W3s)
 
-## Use Cases
+## Example Use Cases
 
 ### Ensure regulatory compliance with industry standards  
 Prompt: Check if my gateway configuration meets PCI-DSS/HIPAA/GDPR requirements.
@@ -21,10 +21,10 @@ Prompt: Check if my gateway configuration meets PCI-DSS/HIPAA/GDPR requirements.
 Prompt: List all firewall rules that allow traffic from any source to any destination on any port. Highlight rules that are disabled or unused.
 
 ### Source → Destination Path Analysis  
-Prompt: Can you check in my policy if a HOST or Network can access the internet?
+Prompt: Can you check in my policy if a host or network can access the internet?
 
 ### Recommendation for rulebase optimization  
-Prompt: Take a look at the internet-facing rules in my policy and suggest improvements. Identify if there are any rules that should be strengthened or loosened. Consider both security risks and administrative overhead. In your recommendations, refer only to specific rules that can be changed or suggest adding new ones.
+Prompt: Take a look at the internet-facing rules in my policy and suggest improvements. Identify any rules that should be strengthened or loosened. Consider both security risks and administrative overhead. In your recommendations, refer only to specific rules that can be changed or suggest adding new ones.
 
 ### Custom policy visualizations  
 Prompt: Please create a visual report that shows which services are allowed in my network, under which conditions, and which services are strictly blocked.
@@ -42,7 +42,7 @@ Authenticate to Check Point Smart-1 Cloud using an API key.
 - **How to generate an API key:**  
   In your Smart-1 Cloud dashboard, go to **Settings → API & SmartConsole** and generate an API key.  
   Copy the key and the server login URL (excluding the `/login` suffix) to your client settings.  
-  ![alt text](s1c_api_key.png)
+  ![alt text](./resources/s1c_api_key.png)
 
 Set the following environment variables:
 
@@ -74,8 +74,23 @@ Set the following environment variables:
 
 ## Client Configuration
 
-This server can be used with Claude Desktop, Cursor, GitHub Copilot MCP integrations, or any other MCP client.  
-> Note: Due to the nature of management API calls, using this server may require a paid subscription to the model provider to handle token limits and context windows.
+### Prerequisites
+
+Download and install the latest version of [Node.js](https://nodejs.org/en/download/) if you don't already have it installed.  
+You can check your installed version by running:
+
+```bash
+node -v      # Should print "v22" or higher
+nvm current  # Should print "v22" or higher
+```
+
+### Supported Clients
+
+This server has been tested with Claude Desktop, Cursor, GitHub Copilot, and Windsurf clients.  
+It is expected to work with any MCP client that supports the Model Context Protocol.
+
+> **Note:** Due to the nature of management API calls and the variety of server tools, using this server may require a paid subscription to the model provider to support token limits and context window sizes.  
+> For smaller models, you can reduce token usage by limiting the number of enabled tools in the client.
 
 ### Smart-1 Cloud Example
 
@@ -114,7 +129,7 @@ This server can be used with Claude Desktop, Cursor, GitHub Copilot MCP integrat
 }
 ```
 
-> Set only the environment variables required for your authentication method (see above).
+> Set only the environment variables required for your authentication method.
 
 ### Configuring the Claude Desktop App
 
@@ -150,14 +165,56 @@ Add the server configuration:
 }
 ```
 
+### VSCode 
+
+Enter VSCode settings and type "mcp" in the search bar.
+You should see the option to edit the configuration file.
+Add this configuration:
+
+```json
+{
+  ...
+  "mcp": {
+    "inputs": [],
+    "servers": {
+      "quantum-management": {
+        "command": "npx",
+        "args": [
+          "@chkp/quantum_management_mcp"
+        ],
+        "env": {
+          "MANAGEMENT_HOST": "YOUR_MANAGEMENT_IP_OR_HOST_NAME",
+          "MANAGEMENT_PORT": "443",  // optional, default is 443
+          "API_KEY": "YOUR_API_KEY", // or use USERNAME and PASSWORD
+          "USERNAME": "YOUR_USERNAME", // optional
+          "PASSWORD": "YOUR_PASSWORD" // optional
+        }
+      }
+    }
+  },
+  ...
+}
+```
+
+### Windsurf
+
+Enter Windsurf settings and type "mcp" in the search bar.
+You should see the option to edit the configuration file.
+Add the configuration as Claude Desktop App.
+
+### Cursor
+
+Enter Cursor settings and click on "MCP Servers" in the left menu.
+You should see the option to add a new MCP Server.
+Add the configuration as Claude Desktop App.
 ---
 
 ## Development
 
 ### Prerequisites
 
 - Node.js 22+  
-- npm 8+  
+- npm 10+  
 
 ### Setup
 
@@ -175,7 +232,7 @@ npm run build
 
 ### Running Locally
 
-Run the server locally for development using [MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector) or any MCP client.
+You can run the server locally for development using [MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector) or any compatible MCP client.
 
 ```bash
 node FULL_PATH_TO_SERVER/packages/management/dist/index.js --s1c-url|--management-host --api-key|--username|--password
@@ -187,4 +244,4 @@ node FULL_PATH_TO_SERVER/packages/management/dist/index.js --s1c-url|--managemen
 
 1. **Authentication keys and credentials are never shared with the model.** They are used only by the MCP server to authenticate with your Check Point management system.  
 2. **Only use client implementations you trust.** Malicious or untrusted clients could misuse your credentials or access data improperly.  
-3. **Management data is exposed to the model.** Use models and providers that comply with your organization’s policies on sensitive data and PII handling.
+3. **Management data is exposed to the model.** Ensure that you only use models and providers that comply with your organization’s policies for handling sensitive data and PII.

packages/infra/src/api-client.ts

@@ -9,9 +9,6 @@ function getMainPackageUserAgent(): string {
   return "Check Point MCP API Client/v1.0";
 }
 
-// Constants for API URLs
-export const ON_PREM_CI_BASE_URL = "{}/{}/api/v2/environments/{}/web_api";
-
 /**
  * Response from an API client call
  */
@@ -26,11 +23,20 @@ export class ClientResponse {
  * Base class for API clients
  */
 export abstract class APIClientBase {
+  private static _instance: APIClientBase;
   protected sid: string | null = null;
+  protected sessionTimeout: number | null = null; // in seconds
+  protected sessionStart: number | null = null;   // timestamp when session was created
+
 
   constructor(
     protected readonly apiKey: string,
-  ) {}
+  ) {
+    if (APIClientBase._instance) {
+      return APIClientBase._instance;
+    }
+    APIClientBase._instance = this;
+  }
 
   /**
    * Get the host URL for the API client
@@ -63,10 +69,11 @@ export abstract class APIClientBase {
     data: Record<string, any>,
     params?: Record<string, any>
   ): Promise<ClientResponse> {
-    if (!this.sid) {
-      this.sid = await this.loginWithApiKey();
+
+    if (!this.sid || this.isSessionExpired()) {
+      this.sid = await this.login();
     }
-    
+
     return await APIClientBase.makeRequest(
       this.getHost(),
       method,
@@ -77,19 +84,30 @@ export abstract class APIClientBase {
     );
   }
 
+  /**
+   * Check if the session is expired based on sessionTimeout and sessionStart
+   */
+  protected isSessionExpired(): boolean {
+    if (!this.sid || !this.sessionTimeout || !this.sessionStart) return true;
+    const now = Date.now();
+    // Add a small buffer (5 seconds) to avoid edge cases
+    return now > (this.sessionStart + (this.sessionTimeout - 5) * 1000);
+  }
+
   /**
    * Login to the API using the API key
    */
-  async loginWithApiKey(): Promise<string> {
-    console.error("Logging in with API key");
-    
+  async login(): Promise<string> {
     const loginResp = await APIClientBase.makeRequest(
       this.getHost(),
       "POST",
       "login",
       { "api-key": this.apiKey },
       { "Content-Type": "application/json" }
     );
+
+    this.sessionTimeout = loginResp.response["session-timeout"] || null;
+    this.sessionStart = Date.now();
 
     return loginResp.response.sid;
   }
@@ -124,33 +142,14 @@ export abstract class APIClientBase {
     if (method.toUpperCase() !== 'GET' && data !== undefined) {
       config.data = data;
     }
-    
-    // Get settings to check if verbose mode is enabled
-    const settings = (globalThis as any).cpMcpSettings as import('./settings').Settings | undefined;
-    const verbose = settings?.verbose || false;
-    
-    // Always log the URL for our debug API
-    if (verbose) {
-      console.error(`🌐 API Request: ${method} ${url}`);
-      console.error('Headers: ' + JSON.stringify(headers));
-      console.error('Params: ' + JSON.stringify(params));
-      console.error('Data: ' + JSON.stringify(data));
-    } else {
-      console.error(`🌐 API Request: ${method} ${url}`);
-    }
+
+    console.error(`API Request: ${method} ${url}`);
 
     try {
       const response = await axios(config);
-      
-      if (verbose) {
-        console.error(`✅ API Response (${response.status}):`);
-        console.error('Headers: ' + JSON.stringify(response.headers));
-        console.error('Data: ' + JSON.stringify(response.data));
-      }
-      
       return new ClientResponse(response.status, response.data as Record<string, any>);
     } catch (error: any) {
-      if (verbose && error.response) {
+      if (error.response) {
         console.error(`❌ API Error (${error.response.status}):`);
         console.error('Headers:', error.response.headers);
         console.error('Data:', error.response.data);
@@ -215,8 +214,8 @@ export class OnPremAPIClient extends APIClientBase {
     data: Record<string, any>,
     params?: Record<string, any>
   ): Promise<ClientResponse> {
-    if (!this.sid) {
-      this.sid = await this.loginWithApiKey();
+    if (!this.sid || this.isSessionExpired()) {
+      this.sid = await this.login();
     }
 
     // Allow self-signed certs for on-prem management servers
@@ -237,22 +236,15 @@ export class OnPremAPIClient extends APIClientBase {
    * Override loginWithApiKey to support both api-key and username/password authentication
    * and allow self-signed certificates
    */
-  async loginWithApiKey(): Promise<string> {
+  async login(): Promise<string> {
     // Determine if we're using API key or username/password
     const isUsingApiKey = !!this.apiKey;
     const isUsingCredentials = !!(this.username && this.password);
 
     if (!isUsingApiKey && !isUsingCredentials) {
       throw new Error("Authentication failed: No API key or username/password provided");
     }
-    
-    // Log authentication method
-    if (isUsingApiKey) {
-      console.error("Logging in with API key (allowing self-signed certificates)");
-    } else {
-      console.error("Logging in with username/password (allowing self-signed certificates)");
-    }
-    
+
     // Allow self-signed certs for on-prem management servers
     const httpsAgent = new https.Agent({ rejectUnauthorized: false });
 
@@ -270,7 +262,11 @@ export class OnPremAPIClient extends APIClientBase {
       null,
       httpsAgent
     );
-    
+
+    this.sessionTimeout = loginResp.response["session-timeout"] || null;
+    this.sessionStart = Date.now();
+    this.sid = loginResp.response.sid;
+
     return loginResp.response.sid;
   }
 }

packages/infra/src/settings.ts

@@ -1,5 +1,6 @@
 // Settings manager for MCP servers
-import * as z from 'zod';
+
+import { nullOrEmpty } from './string-utils.js';
 
 // Singleton instance for settings
 let globalSettings: Settings | null = null;
@@ -64,25 +65,31 @@ export class Settings {
     this.managementPort = managementPort;
     this.origin = origin;
     this.verbose = verbose;
-    
+
     this.validate();
   }
   /**
    * Validate the settings
    */
+
+  
   private validate(): void {
     // For S1C, API key is required
-    if (this.s1cUrl && !this.apiKey) {
+    if (!nullOrEmpty(this.s1cUrl) && nullOrEmpty(this.apiKey)) {
       throw new Error('API key is required for S1C (via --api-key or API_KEY env var)');
     }
 
     // For on-prem, either API key or username/password is required
-    if (this.managementHost && !this.apiKey && !(this.username && this.password)) {
+    if (
+      !nullOrEmpty(this.managementHost) &&
+      nullOrEmpty(this.apiKey) &&
+      (nullOrEmpty(this.username) || nullOrEmpty(this.password))
+    ) {
       throw new Error('Either API key or username/password are required for on-prem management (via CLI args or env vars)');
     }
 
     // Need either management URL or management host
-    if (!this.s1cUrl && !this.managementHost) {
+    if (nullOrEmpty(this.s1cUrl) && nullOrEmpty(this.managementHost)) {
       // This validation is commented out in the Python code, so we'll do the same
       // throw new Error(
       //   'You must provide either management URL (cloud) or management host (on-prem) via CLI or env vars'

packages/infra/src/string-utils.ts

@@ -0,0 +1,8 @@
+// Utility for string checks
+export function nullOrEmpty(val?: string): boolean {
+  return (
+    val === undefined ||
+    val === null ||
+    (typeof val === 'string' && (val.trim() === '' || val === 'undefined' || val === 'null'))
+  );
+}