feat: add support for allowing self-signed TLS certificates in gateway configuration

2026-02-22 20:20:19 +05:30
parent d37f230eb3
commit 56f4964332
11 changed files with 89 additions and 19 deletions
--- a/backend/tests/test_gateway_resolver.py
+++ b/backend/tests/test_gateway_resolver.py
@@ -3,7 +3,10 @@ from __future__ import annotations

 from uuid import uuid4

+import pytest
+
 from app.models.gateways import Gateway
+from app.schemas.gateway_api import GatewayResolveQuery
 from app.services.openclaw.gateway_resolver import (
    gateway_client_config,
    optional_gateway_client_config,
@@ -14,6 +17,7 @@ from app.services.openclaw.session_service import GatewaySessionService
 def _gateway(
    *,
    disable_device_pairing: bool,
+    allow_insecure_tls: bool = False,
    url: str = "ws://gateway.example:18789/ws",
    token: str | None = " secret-token ",
 ) -> Gateway:
@@ -25,6 +29,7 @@ def _gateway(
        token=token,
        workspace_root="~/.openclaw",
        disable_device_pairing=disable_device_pairing,
+        allow_insecure_tls=allow_insecure_tls,
    )


@@ -43,6 +48,14 @@ def test_optional_gateway_client_config_maps_disable_device_pairing() -> None:
    assert config.disable_device_pairing is False


+def test_gateway_client_config_maps_allow_insecure_tls() -> None:
+    config = gateway_client_config(
+        _gateway(disable_device_pairing=False, allow_insecure_tls=True),
+    )
+
+    assert config.allow_insecure_tls is True
+
+
 def test_optional_gateway_client_config_returns_none_for_missing_or_blank_url() -> None:
    assert optional_gateway_client_config(None) is None
    assert (
@@ -62,3 +75,28 @@ def test_to_resolve_query_keeps_gateway_disable_device_pairing_value() -> None:
    )

    assert resolved.gateway_disable_device_pairing is True
+
+
+def test_to_resolve_query_keeps_gateway_allow_insecure_tls_value() -> None:
+    resolved = GatewaySessionService.to_resolve_query(
+        board_id=None,
+        gateway_url="wss://gateway.example:18789/ws",
+        gateway_token="secret-token",
+        gateway_allow_insecure_tls=True,
+    )
+
+    assert resolved.gateway_allow_insecure_tls is True
+
+
+@pytest.mark.asyncio
+async def test_resolve_gateway_keeps_gateway_allow_insecure_tls_for_direct_url() -> None:
+    service = GatewaySessionService(session=object())  # type: ignore[arg-type]
+    _, config, _ = await service.resolve_gateway(
+        GatewayResolveQuery(
+            gateway_url="wss://gateway.example:18789/ws",
+            gateway_allow_insecure_tls=True,
+        ),
+        user=None,
+    )
+
+    assert config.allow_insecure_tls is True