feat(agent): Support SSL/TLS for MCP (#2591)

2025-09-20 00:54:43 +00:00 · 2025-04-08 08:47:41 +08:00
parent 0fd578cf87
commit e9ce534ca1
6 changed files with 261 additions and 11 deletions
--- a/packages/dbgpt-serve/src/dbgpt_serve/agent/resource/mcp.py
+++ b/packages/dbgpt-serve/src/dbgpt_serve/agent/resource/mcp.py
@@ -50,12 +50,14 @@ class MCPPackResourceParameters(PackResourceParameters):
 class MCPSSEToolPack(MCPToolPack):
    def __init__(self, mcp_servers: Union[str, List[str]], **kwargs):
        """Initialize the MCPSSEToolPack with the given MCP servers."""
+        import ssl
+
        headers = {}
+        # token is not supported in sse mode
+        servers = (
+            mcp_servers.split(";") if isinstance(mcp_servers, str) else mcp_servers
+        )
        if "token" in kwargs and kwargs["token"]:
-            # token is not supported in sse mode
-            servers = (
-                mcp_servers.split(";") if isinstance(mcp_servers, str) else mcp_servers
-            )
            tokens = (
                kwargs["token"].split(";")
                if isinstance(kwargs["token"], str)
@@ -69,7 +71,33 @@ class MCPSSEToolPack(MCPToolPack):
                for server in servers:
                    headers[server] = {"Authorization": f"Bearer {token}"}
            kwargs.pop("token")
-        super().__init__(mcp_servers=mcp_servers, headers=headers, **kwargs)
+        ssl_verify = True
+        ssl_verify_map = {}
+        if "no_ssl_verify" in kwargs:
+            if kwargs["no_ssl_verify"] is True:
+                ssl_verify = False
+            kwargs.pop("no_ssl_verify")
+        if ssl_verify is True and "ssl_ca_cert" in kwargs:
+            ssl_ca_certs = (
+                kwargs["ssl_ca_cert"].split(";")
+                if isinstance(kwargs["ssl_ca_cert"], str)
+                else kwargs["ssl_ca_cert"]
+            )
+            if len(servers) == len(ssl_ca_certs):
+                for i, ssl_ca_cert in enumerate(ssl_ca_certs):
+                    ssl_verify_map[servers[i]] = ssl.create_default_context(
+                        cafile=ssl_ca_cert
+                    )
+            else:
+                ssl_ca_cert = ssl_ca_certs[0]
+                for server in servers:
+                    ssl_verify_map[server] = ssl.create_default_context(
+                        cafile=ssl_ca_cert
+                    )
+        verify = ssl_verify_map if ssl_verify_map else ssl_verify
+        super().__init__(
+            mcp_servers=mcp_servers, headers=headers, ssl_verify=verify, **kwargs
+        )

    @classmethod
    def type_alias(cls) -> str:
@@ -97,5 +125,20 @@ class MCPSSEToolPack(MCPToolPack):
                    "tags": "privacy",
                },
            )
+            no_ssl_verify: bool = dataclasses.field(
+                default=False,
+                metadata={
+                    "help": _(
+                        "Disable SSL verification. "
+                        "This is not recommended for production use."
+                    ),
+                },
+            )
+            ssl_ca_cert: Optional[str] = dataclasses.field(
+                default=None,
+                metadata={
+                    "help": _("Path to the CA certificate file. split by ';' "),
+                },
+            )

        return _DynMCPSSEPackResourceParameters