feat: Add allow_insecure_tls field to gateway model and UI

- Added allow_insecure_tls boolean field to Gateway model and schemas - Created database migration for the new field - Updated GatewayConfig to include allow_insecure_tls parameter - Modified openclaw_call to create SSL context that disables verification when allow_insecure_tls is true - Updated all GatewayConfig instantiations throughout the backend - Added checkbox to frontend gateway form (create and edit pages) - Updated API endpoints to handle the new field Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
2026-02-22 05:28:37 +00:00
parent 6455a27176
commit 520e128777
12 changed files with 135 additions and 13 deletions
--- a/backend/app/api/gateways.py
+++ b/backend/app/api/gateways.py
@@ -94,7 +94,9 @@ async def create_gateway(
 ) -> Gateway:
    """Create a gateway and provision or refresh its main agent."""
    service = GatewayAdminLifecycleService(session)
-    await service.assert_gateway_runtime_compatible(url=payload.url, token=payload.token)
+    await service.assert_gateway_runtime_compatible(
        url=payload.url, token=payload.token, allow_insecure_tls=payload.allow_insecure_tls
    )
    data = payload.model_dump()
    gateway_id = uuid4()
    data["id"] = gateway_id
@@ -134,12 +136,15 @@ async def update_gateway(
        organization_id=ctx.organization.id,
    )
    updates = payload.model_dump(exclude_unset=True)
-    if "url" in updates or "token" in updates:
+    if "url" in updates or "token" in updates or "allow_insecure_tls" in updates:
        raw_next_url = updates.get("url", gateway.url)
        next_url = raw_next_url.strip() if isinstance(raw_next_url, str) else ""
        next_token = updates.get("token", gateway.token)
        next_allow_insecure_tls = updates.get("allow_insecure_tls", gateway.allow_insecure_tls)
        if next_url:
-            await service.assert_gateway_runtime_compatible(url=next_url, token=next_token)
+            await service.assert_gateway_runtime_compatible(
                url=next_url, token=next_token, allow_insecure_tls=next_allow_insecure_tls
            )
    await crud.patch(session, gateway, updates)
    await service.ensure_main_agent(gateway, auth, action="update")
    return gateway
--- a/backend/app/models/gateways.py
+++ b/backend/app/models/gateways.py
@@ -24,5 +24,6 @@ class Gateway(QueryModel, table=True):
    url: str
    token: str | None = Field(default=None)
    workspace_root: str
    allow_insecure_tls: bool = Field(default=False)
    created_at: datetime = Field(default_factory=utcnow)
    updated_at: datetime = Field(default_factory=utcnow)
--- a/backend/app/schemas/gateways.py
+++ b/backend/app/schemas/gateways.py
@@ -17,6 +17,7 @@ class GatewayBase(SQLModel):
    name: str
    url: str
    workspace_root: str
    allow_insecure_tls: bool = False
 class GatewayCreate(GatewayBase):
@@ -43,6 +44,7 @@ class GatewayUpdate(SQLModel):
    url: str | None = None
    token: str | None = None
    workspace_root: str | None = None
    allow_insecure_tls: bool | None = None
    @field_validator("token", mode="before")
    @classmethod
--- a/backend/app/services/openclaw/admin_service.py
+++ b/backend/app/services/openclaw/admin_service.py
@@ -167,7 +167,9 @@ class GatewayAdminLifecycleService(OpenClawDBService):
    async def gateway_has_main_agent_entry(self, gateway: Gateway) -> bool:
        if not gateway.url:
            return False
-        config = GatewayClientConfig(url=gateway.url, token=gateway.token)
+        config = GatewayClientConfig(
            url=gateway.url, token=gateway.token, allow_insecure_tls=gateway.allow_insecure_tls
        )
        target_id = GatewayAgentIdentity.openclaw_agent_id(gateway)
        try:
            await openclaw_call("agents.files.list", {"agentId": target_id}, config=config)
@@ -178,9 +180,11 @@ class GatewayAdminLifecycleService(OpenClawDBService):
            return True
        return True
-    async def assert_gateway_runtime_compatible(self, *, url: str, token: str | None) -> None:
+    async def assert_gateway_runtime_compatible(
        self, *, url: str, token: str | None, allow_insecure_tls: bool = False
    ) -> None:
        """Validate that a gateway runtime meets minimum supported version."""
-        config = GatewayClientConfig(url=url, token=token)
+        config = GatewayClientConfig(url=url, token=token, allow_insecure_tls=allow_insecure_tls)
        try:
            result = await check_gateway_runtime_compatibility(config)
        except OpenClawGatewayError as exc:
--- a/backend/app/services/openclaw/gateway_resolver.py
+++ b/backend/app/services/openclaw/gateway_resolver.py
@@ -32,7 +32,9 @@ def gateway_client_config(gateway: Gateway) -> GatewayClientConfig:
            detail="Gateway url is required",
        )
    token = (gateway.token or "").strip() or None
-    return GatewayClientConfig(url=url, token=token)
+    return GatewayClientConfig(
        url=url, token=token, allow_insecure_tls=gateway.allow_insecure_tls
    )
 def optional_gateway_client_config(gateway: Gateway | None) -> GatewayClientConfig | None:
@@ -43,7 +45,9 @@ def optional_gateway_client_config(gateway: Gateway | None) -> GatewayClientConf
    if not url:
        return None
    token = (gateway.token or "").strip() or None
-    return GatewayClientConfig(url=url, token=token)
+    return GatewayClientConfig(
        url=url, token=token, allow_insecure_tls=gateway.allow_insecure_tls
    )
 def require_gateway_workspace_root(gateway: Gateway) -> str:
--- a/backend/app/services/openclaw/gateway_rpc.py
+++ b/backend/app/services/openclaw/gateway_rpc.py
@@ -9,6 +9,7 @@ from __future__ import annotations
 import asyncio
 import json
 import ssl
 from dataclasses import dataclass
 from time import perf_counter
 from typing import Any
@@ -160,6 +161,7 @@ class GatewayConfig:
    url: str
    token: str | None = None
    allow_insecure_tls: bool = False
 def _build_gateway_url(config: GatewayConfig) -> str:
@@ -180,6 +182,27 @@ def _redacted_url_for_log(raw_url: str) -> str:
    return str(urlunparse(parsed._replace(query="", fragment="")))
 def _create_ssl_context(config: GatewayConfig) -> ssl.SSLContext | None:
    """Create SSL context for websocket connection.
    Returns None for non-SSL connections (ws://) or an SSL context for wss://.
    If allow_insecure_tls is True, the context will not verify certificates.
    """
    parsed = urlparse(config.url)
    if parsed.scheme != "wss":
        return None
    if config.allow_insecure_tls:
        # Create SSL context that doesn't verify certificates
        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ssl_context.check_hostname = False
        ssl_context.verify_mode = ssl.CERT_NONE
        return ssl_context
    # Use default SSL context with certificate verification
    return None
 async def _await_response(
    ws: websockets.ClientConnection,
    request_id: str,
@@ -283,14 +306,18 @@ async def openclaw_call(
 ) -> object:
    """Call a gateway RPC method and return the result payload."""
    gateway_url = _build_gateway_url(config)
    ssl_context = _create_ssl_context(config)
    started_at = perf_counter()
    logger.debug(
-        "gateway.rpc.call.start method=%s gateway_url=%s",
+        "gateway.rpc.call.start method=%s gateway_url=%s allow_insecure_tls=%s",
        method,
        _redacted_url_for_log(gateway_url),
        config.allow_insecure_tls,
    )
    try:
-        async with websockets.connect(gateway_url, ping_interval=None) as ws:
+        async with websockets.connect(
            gateway_url, ping_interval=None, ssl=ssl_context
        ) as ws:
            first_message = None
            try:
                first_message = await asyncio.wait_for(ws.recv(), timeout=2)
--- a/backend/app/services/openclaw/provisioning.py
+++ b/backend/app/services/openclaw/provisioning.py
@@ -970,7 +970,9 @@ def _control_plane_for_gateway(gateway: Gateway) -> OpenClawGatewayControlPlane:
        msg = "Gateway url is required"
        raise OpenClawGatewayError(msg)
    return OpenClawGatewayControlPlane(
-        GatewayClientConfig(url=gateway.url, token=gateway.token),
+        GatewayClientConfig(
            url=gateway.url, token=gateway.token, allow_insecure_tls=gateway.allow_insecure_tls
        ),
    )
@@ -1099,7 +1101,9 @@ class OpenClawGatewayProvisioner:
        if not wake:
            return
-        client_config = GatewayClientConfig(url=gateway.url, token=gateway.token)
+        client_config = GatewayClientConfig(
            url=gateway.url, token=gateway.token, allow_insecure_tls=gateway.allow_insecure_tls
        )
        await ensure_session(session_key, config=client_config, label=agent.name)
        verb = wakeup_verb or ("provisioned" if action == "provision" else "updated")
        await send_message(
--- a/backend/app/services/openclaw/provisioning_db.py
+++ b/backend/app/services/openclaw/provisioning_db.py
@@ -285,7 +285,11 @@ class OpenClawProvisioningService(OpenClawDBService):
            return result
        control_plane = OpenClawGatewayControlPlane(
-            GatewayClientConfig(url=gateway.url, token=gateway.token),
+            GatewayClientConfig(
                url=gateway.url,
                token=gateway.token,
                allow_insecure_tls=gateway.allow_insecure_tls,
            ),
        )
        ctx = _SyncContext(
            session=self.session,
--- a/backend/migrations/versions/2f3e4a5b6c7d_add_gateway_allow_insecure_tls.py
+++ b/backend/migrations/versions/2f3e4a5b6c7d_add_gateway_allow_insecure_tls.py
@@ -0,0 +1,37 @@
 """Add allow_insecure_tls field to gateways.
 Revision ID: 2f3e4a5b6c7d
 Revises: 1a7b2c3d4e5f
 Create Date: 2026-02-22 05:30:00.000000
 """
 from __future__ import annotations
 import sqlalchemy as sa
 from alembic import op
 # revision identifiers, used by Alembic.
 revision = "2f3e4a5b6c7d"
 down_revision = "1a7b2c3d4e5f"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    """Add gateways.allow_insecure_tls column with default False."""
    op.add_column(
        "gateways",
        sa.Column(
            "allow_insecure_tls",
            sa.Boolean(),
            nullable=False,
            server_default=sa.text("false"),
        ),
    )
    op.alter_column("gateways", "allow_insecure_tls", server_default=None)
 def downgrade() -> None:
    """Remove gateways.allow_insecure_tls column."""
    op.drop_column("gateways", "allow_insecure_tls")
--- a/frontend/src/app/gateways/[gatewayId]/edit/page.tsx
+++ b/frontend/src/app/gateways/[gatewayId]/edit/page.tsx
@@ -43,6 +43,9 @@ export default function EditGatewayPage() {
  const [workspaceRoot, setWorkspaceRoot] = useState<string | undefined>(
    undefined,
  );
  const [allowInsecureTls, setAllowInsecureTls] = useState<boolean | undefined>(
    undefined,
  );
  const [gatewayUrlError, setGatewayUrlError] = useState<string | null>(null);
  const [gatewayCheckStatus, setGatewayCheckStatus] =
@@ -84,6 +87,8 @@ export default function EditGatewayPage() {
  const resolvedGatewayToken = gatewayToken ?? loadedGateway?.token ?? "";
  const resolvedWorkspaceRoot =
    workspaceRoot ?? loadedGateway?.workspace_root ?? DEFAULT_WORKSPACE_ROOT;
  const resolvedAllowInsecureTls =
    allowInsecureTls ?? loadedGateway?.allow_insecure_tls ?? false;
  const isLoading = gatewayQuery.isLoading || updateMutation.isPending;
  const errorMessage = error ?? gatewayQuery.error?.message ?? null;
@@ -140,6 +145,7 @@ export default function EditGatewayPage() {
      url: resolvedGatewayUrl.trim(),
      token: resolvedGatewayToken.trim() || null,
      workspace_root: resolvedWorkspaceRoot.trim(),
      allow_insecure_tls: resolvedAllowInsecureTls,
    };
    updateMutation.mutate({ gatewayId, data: payload });
@@ -165,6 +171,7 @@ export default function EditGatewayPage() {
        gatewayUrl={resolvedGatewayUrl}
        gatewayToken={resolvedGatewayToken}
        workspaceRoot={resolvedWorkspaceRoot}
        allowInsecureTls={resolvedAllowInsecureTls}
        gatewayUrlError={gatewayUrlError}
        gatewayCheckStatus={gatewayCheckStatus}
        gatewayCheckMessage={gatewayCheckMessage}
@@ -191,6 +198,7 @@ export default function EditGatewayPage() {
          setGatewayCheckMessage(null);
        }}
        onWorkspaceRootChange={setWorkspaceRoot}
        onAllowInsecureTlsChange={setAllowInsecureTls}
      />
    </DashboardPageLayout>
  );
--- a/frontend/src/app/gateways/new/page.tsx
+++ b/frontend/src/app/gateways/new/page.tsx
@@ -29,6 +29,7 @@ export default function NewGatewayPage() {
  const [gatewayUrl, setGatewayUrl] = useState("");
  const [gatewayToken, setGatewayToken] = useState("");
  const [workspaceRoot, setWorkspaceRoot] = useState(DEFAULT_WORKSPACE_ROOT);
  const [allowInsecureTls, setAllowInsecureTls] = useState(false);
  const [gatewayUrlError, setGatewayUrlError] = useState<string | null>(null);
  const [gatewayCheckStatus, setGatewayCheckStatus] =
@@ -106,6 +107,7 @@ export default function NewGatewayPage() {
        url: gatewayUrl.trim(),
        token: gatewayToken.trim() || null,
        workspace_root: workspaceRoot.trim(),
        allow_insecure_tls: allowInsecureTls,
      },
    });
  };
@@ -126,6 +128,7 @@ export default function NewGatewayPage() {
        gatewayUrl={gatewayUrl}
        gatewayToken={gatewayToken}
        workspaceRoot={workspaceRoot}
        allowInsecureTls={allowInsecureTls}
        gatewayUrlError={gatewayUrlError}
        gatewayCheckStatus={gatewayCheckStatus}
        gatewayCheckMessage={gatewayCheckMessage}
@@ -152,6 +155,7 @@ export default function NewGatewayPage() {
          setGatewayCheckMessage(null);
        }}
        onWorkspaceRootChange={setWorkspaceRoot}
        onAllowInsecureTlsChange={setAllowInsecureTls}
      />
    </DashboardPageLayout>
  );
--- a/frontend/src/components/gateways/GatewayForm.tsx
+++ b/frontend/src/components/gateways/GatewayForm.tsx
@@ -10,6 +10,7 @@ type GatewayFormProps = {
  gatewayUrl: string;
  gatewayToken: string;
  workspaceRoot: string;
  allowInsecureTls: boolean;
  gatewayUrlError: string | null;
  gatewayCheckStatus: GatewayCheckStatus;
  gatewayCheckMessage: string | null;
@@ -27,6 +28,7 @@ type GatewayFormProps = {
  onGatewayUrlChange: (next: string) => void;
  onGatewayTokenChange: (next: string) => void;
  onWorkspaceRootChange: (next: string) => void;
  onAllowInsecureTlsChange: (next: boolean) => void;
 };
 export function GatewayForm({
@@ -34,6 +36,7 @@ export function GatewayForm({
  gatewayUrl,
  gatewayToken,
  workspaceRoot,
  allowInsecureTls,
  gatewayUrlError,
  gatewayCheckStatus,
  gatewayCheckMessage,
@@ -51,6 +54,7 @@ export function GatewayForm({
  onGatewayUrlChange,
  onGatewayTokenChange,
  onWorkspaceRootChange,
  onAllowInsecureTlsChange,
 }: GatewayFormProps) {
  return (
    <form
@@ -140,6 +144,24 @@ export function GatewayForm({
        />
      </div>
      <div className="flex items-center gap-2">
        <input
          type="checkbox"
          id="allow-insecure-tls"
          className="h-4 w-4 rounded border-slate-300 text-blue-600"
          checked={allowInsecureTls}
          onChange={(event) => onAllowInsecureTlsChange(event.target.checked)}
          disabled={isLoading}
        />
        <label
          htmlFor="allow-insecure-tls"
          className="text-sm text-slate-700 cursor-pointer"
        >
          Allow self-signed TLS certificates (for localhost or trusted local
          networks)
        </label>
      </div>
      {errorMessage ? (
        <p className="text-sm text-red-500">{errorMessage}</p>
      ) : null}