feat: Add allow_insecure_tls field to gateway model and UI

- Added allow_insecure_tls boolean field to Gateway model and schemas - Created database migration for the new field - Updated GatewayConfig to include allow_insecure_tls parameter - Modified openclaw_call to create SSL context that disables verification when allow_insecure_tls is true - Updated all GatewayConfig instantiations throughout the backend - Added checkbox to frontend gateway form (create and edit pages) - Updated API endpoints to handle the new field Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
2026-02-22 05:28:37 +00:00
parent 6455a27176
commit 520e128777
12 changed files with 135 additions and 13 deletions
--- a/backend/app/api/gateways.py
+++ b/backend/app/api/gateways.py
@@ -94,7 +94,9 @@ async def create_gateway(
 ) -> Gateway:
    """Create a gateway and provision or refresh its main agent."""
    service = GatewayAdminLifecycleService(session)
-    await service.assert_gateway_runtime_compatible(url=payload.url, token=payload.token)
+    await service.assert_gateway_runtime_compatible(
+        url=payload.url, token=payload.token, allow_insecure_tls=payload.allow_insecure_tls
+    )
    data = payload.model_dump()
    gateway_id = uuid4()
    data["id"] = gateway_id
@@ -134,12 +136,15 @@ async def update_gateway(
        organization_id=ctx.organization.id,
    )
    updates = payload.model_dump(exclude_unset=True)
-    if "url" in updates or "token" in updates:
+    if "url" in updates or "token" in updates or "allow_insecure_tls" in updates:
        raw_next_url = updates.get("url", gateway.url)
        next_url = raw_next_url.strip() if isinstance(raw_next_url, str) else ""
        next_token = updates.get("token", gateway.token)
+        next_allow_insecure_tls = updates.get("allow_insecure_tls", gateway.allow_insecure_tls)
        if next_url:
-            await service.assert_gateway_runtime_compatible(url=next_url, token=next_token)
+            await service.assert_gateway_runtime_compatible(
+                url=next_url, token=next_token, allow_insecure_tls=next_allow_insecure_tls
+            )
    await crud.patch(session, gateway, updates)
    await service.ensure_main_agent(gateway, auth, action="update")
    return gateway
--- a/backend/app/models/gateways.py
+++ b/backend/app/models/gateways.py
@@ -24,5 +24,6 @@ class Gateway(QueryModel, table=True):
    url: str
    token: str | None = Field(default=None)
    workspace_root: str
+    allow_insecure_tls: bool = Field(default=False)
    created_at: datetime = Field(default_factory=utcnow)
    updated_at: datetime = Field(default_factory=utcnow)
--- a/backend/app/schemas/gateways.py
+++ b/backend/app/schemas/gateways.py
@@ -17,6 +17,7 @@ class GatewayBase(SQLModel):
    name: str
    url: str
    workspace_root: str
+    allow_insecure_tls: bool = False


 class GatewayCreate(GatewayBase):
@@ -43,6 +44,7 @@ class GatewayUpdate(SQLModel):
    url: str | None = None
    token: str | None = None
    workspace_root: str | None = None
+    allow_insecure_tls: bool | None = None

    @field_validator("token", mode="before")
    @classmethod
--- a/backend/app/services/openclaw/admin_service.py
+++ b/backend/app/services/openclaw/admin_service.py
@@ -167,7 +167,9 @@ class GatewayAdminLifecycleService(OpenClawDBService):
    async def gateway_has_main_agent_entry(self, gateway: Gateway) -> bool:
        if not gateway.url:
            return False
-        config = GatewayClientConfig(url=gateway.url, token=gateway.token)
+        config = GatewayClientConfig(
+            url=gateway.url, token=gateway.token, allow_insecure_tls=gateway.allow_insecure_tls
+        )
        target_id = GatewayAgentIdentity.openclaw_agent_id(gateway)
        try:
            await openclaw_call("agents.files.list", {"agentId": target_id}, config=config)
@@ -178,9 +180,11 @@ class GatewayAdminLifecycleService(OpenClawDBService):
            return True
        return True

-    async def assert_gateway_runtime_compatible(self, *, url: str, token: str | None) -> None:
+    async def assert_gateway_runtime_compatible(
+        self, *, url: str, token: str | None, allow_insecure_tls: bool = False
+    ) -> None:
        """Validate that a gateway runtime meets minimum supported version."""
-        config = GatewayClientConfig(url=url, token=token)
+        config = GatewayClientConfig(url=url, token=token, allow_insecure_tls=allow_insecure_tls)
        try:
            result = await check_gateway_runtime_compatibility(config)
        except OpenClawGatewayError as exc:
--- a/backend/app/services/openclaw/gateway_resolver.py
+++ b/backend/app/services/openclaw/gateway_resolver.py
@@ -32,7 +32,9 @@ def gateway_client_config(gateway: Gateway) -> GatewayClientConfig:
            detail="Gateway url is required",
        )
    token = (gateway.token or "").strip() or None
-    return GatewayClientConfig(url=url, token=token)
+    return GatewayClientConfig(
+        url=url, token=token, allow_insecure_tls=gateway.allow_insecure_tls
+    )


 def optional_gateway_client_config(gateway: Gateway | None) -> GatewayClientConfig | None:
@@ -43,7 +45,9 @@ def optional_gateway_client_config(gateway: Gateway | None) -> GatewayClientConf
    if not url:
        return None
    token = (gateway.token or "").strip() or None
-    return GatewayClientConfig(url=url, token=token)
+    return GatewayClientConfig(
+        url=url, token=token, allow_insecure_tls=gateway.allow_insecure_tls
+    )


 def require_gateway_workspace_root(gateway: Gateway) -> str:
--- a/backend/app/services/openclaw/gateway_rpc.py
+++ b/backend/app/services/openclaw/gateway_rpc.py
@@ -9,6 +9,7 @@ from __future__ import annotations

 import asyncio
 import json
+import ssl
 from dataclasses import dataclass
 from time import perf_counter
 from typing import Any
@@ -160,6 +161,7 @@ class GatewayConfig:

    url: str
    token: str | None = None
+    allow_insecure_tls: bool = False


 def _build_gateway_url(config: GatewayConfig) -> str:
@@ -180,6 +182,27 @@ def _redacted_url_for_log(raw_url: str) -> str:
    return str(urlunparse(parsed._replace(query="", fragment="")))


+def _create_ssl_context(config: GatewayConfig) -> ssl.SSLContext | None:
+    """Create SSL context for websocket connection.
+    
+    Returns None for non-SSL connections (ws://) or an SSL context for wss://.
+    If allow_insecure_tls is True, the context will not verify certificates.
+    """
+    parsed = urlparse(config.url)
+    if parsed.scheme != "wss":
+        return None
+    
+    if config.allow_insecure_tls:
+        # Create SSL context that doesn't verify certificates
+        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        ssl_context.check_hostname = False
+        ssl_context.verify_mode = ssl.CERT_NONE
+        return ssl_context
+    
+    # Use default SSL context with certificate verification
+    return None
+
+
 async def _await_response(
    ws: websockets.ClientConnection,
    request_id: str,
@@ -283,14 +306,18 @@ async def openclaw_call(
 ) -> object:
    """Call a gateway RPC method and return the result payload."""
    gateway_url = _build_gateway_url(config)
+    ssl_context = _create_ssl_context(config)
    started_at = perf_counter()
    logger.debug(
-        "gateway.rpc.call.start method=%s gateway_url=%s",
+        "gateway.rpc.call.start method=%s gateway_url=%s allow_insecure_tls=%s",
        method,
        _redacted_url_for_log(gateway_url),
+        config.allow_insecure_tls,
    )
    try:
-        async with websockets.connect(gateway_url, ping_interval=None) as ws:
+        async with websockets.connect(
+            gateway_url, ping_interval=None, ssl=ssl_context
+        ) as ws:
            first_message = None
            try:
                first_message = await asyncio.wait_for(ws.recv(), timeout=2)
--- a/backend/app/services/openclaw/provisioning.py
+++ b/backend/app/services/openclaw/provisioning.py
@@ -970,7 +970,9 @@ def _control_plane_for_gateway(gateway: Gateway) -> OpenClawGatewayControlPlane:
        msg = "Gateway url is required"
        raise OpenClawGatewayError(msg)
    return OpenClawGatewayControlPlane(
-        GatewayClientConfig(url=gateway.url, token=gateway.token),
+        GatewayClientConfig(
+            url=gateway.url, token=gateway.token, allow_insecure_tls=gateway.allow_insecure_tls
+        ),
    )


@@ -1099,7 +1101,9 @@ class OpenClawGatewayProvisioner:
        if not wake:
            return

-        client_config = GatewayClientConfig(url=gateway.url, token=gateway.token)
+        client_config = GatewayClientConfig(
+            url=gateway.url, token=gateway.token, allow_insecure_tls=gateway.allow_insecure_tls
+        )
        await ensure_session(session_key, config=client_config, label=agent.name)
        verb = wakeup_verb or ("provisioned" if action == "provision" else "updated")
        await send_message(
--- a/backend/app/services/openclaw/provisioning_db.py
+++ b/backend/app/services/openclaw/provisioning_db.py
@@ -285,7 +285,11 @@ class OpenClawProvisioningService(OpenClawDBService):
            return result

        control_plane = OpenClawGatewayControlPlane(
-            GatewayClientConfig(url=gateway.url, token=gateway.token),
+            GatewayClientConfig(
+                url=gateway.url,
+                token=gateway.token,
+                allow_insecure_tls=gateway.allow_insecure_tls,
+            ),
        )
        ctx = _SyncContext(
            session=self.session,