Enabling HTTPS with Encrypted SSL Keys via Passphrase Support by kevalmahajan · Pull Request #1578 · IBM/mcp-context-forge

kevalmahajan · 2025-12-11T09:13:32Z

🐛 Bug-fix PR

📌 Summary

This PR adds support for SSL certificates with passphrase-protected private keys in both production (Gunicorn) and development (Uvicorn) environments. Previously, only unencrypted SSL keys were supported, causing server crashes when attempting to use passphrase-protected keys for HTTPS configuration.

Many organizations require passphrase-protected private keys as a security best practice. This PR enables MCP Gateway to work in such environments while maintaining full backward compatibility.

🐞 Root Cause

Gunicorn's --certfile and --keyfile command-line options do not support passphrase-protected private keys. When a passphrase-protected key is provided, Gunicorn cannot decrypt it and fails to start.

Location of issue:

run-gunicorn.sh: No mechanism to handle passphrases
gunicorn.config.py: No SSL key decryption logic
Missing utility to decrypt passphrase-protected keys

💡 Fix Description

Key Design Points

SSL Key Manager Utility (mcpgateway/utils/ssl_key_manager.py)
- Decrypts passphrase-protected keys using cryptography library
- Writes decrypted key to secure temporary file (0o600 permissions)
- Automatic cleanup via atexit handler
- Returns original path for unencrypted keys (zero overhead)
Environment Variable Support (run-gunicorn.sh)
- Added KEY_FILE_PASSWORD environment variable
- Alternative CERT_PASSPHRASE for compatibility
- Exports SSL_KEY_PASSWORD for Python to access
- Enhanced user feedback (shows passphrase status without exposing value)
Gunicorn Integration (gunicorn.config.py)
- Added on_starting hook to handle key decryption before workers spawn
- Checks SSL and SSL_KEY_PASSWORD environment variables
- Updates Gunicorn's keyfile config to use decrypted temporary file
- Proper error handling with informative messages
Developer Experience (Makefile)
- make certs-passphrase: Generate passphrase-protected certificates
- make certs-remove-passphrase: Convert encrypted key to unencrypted
- Updated help documentation
Docker Support (docker-compose.yml)
- Added KEY_FILE_PASSWORD environment variable example
- Clear documentation for SSL setup with/without passphrases

🧪 Verification

Check	Command	Status
Lint suite	`make lint`	✅
Unit tests	`make test`	✅
Coverage ≥ 90 %	`make coverage`
Manual regression no longer fails	steps / screenshots

📐 MCP Compliance (if relevant)

Matches current MCP spec
No breaking change to MCP clients

✅ Checklist

Code formatted (make black isort pre-commit)
No secrets/credentials committed

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

madhav165

Tested in a call with Sunish (Verizon)

* mTLS support Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: added mTLS support to plugin mcp servers. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added streamable http support to runtime_mtls.py Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: updated plugin server runtime.py to support mTLS. removed chuck-mcp-runtime Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: switched chuk-mcp-runtime with mcp python sdk to support mTLS. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: updated llmguard and opa plugins to install the mcp official sdk. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: added health check to plugin server runtimes. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added health check for mtls plugin server Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: removed chuk-mcp-runtime, replaced with official mcp library. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: runtime tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: initial revision of configurable plugin builds. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: added mtls plugin documentation. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: linting issues. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: install templates with cli, fix error messages. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: mtls and stdio test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: remove commented code. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: and examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: docstring issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: added unit tests and more commenting. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests. Fix doc tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: change to make python the default. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: bandit issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: updated key length to 4096 Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: utility function for verifying certificates. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added utility class for ssl certificate verification. Signed-off-by: Teryl Taylor <terylt@ibm.com> * test: added certificate validation tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: added support for cert-manager in k8s. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: skipped tls doctest. Signed-off-by: Teryl Taylor <terylt@ibm.com> * test: fix doctests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added example cert-manager issuer file. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: updated mtls documentation to point to plugins mtls documentation. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: forgot to add deploy-k8s-cert-manager.yaml Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: add registry pushing support. clean up pydantics. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: fixes to support Openshift, and support enabling plugins in k8s. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: added openshift route file for installing route to mcpgateway admin site. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: fix vulture issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix yamlint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * test: add unit tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: doctests coverage Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add doctests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: simplified docs and added an example configuration at the top. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: doctest issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: added more doctests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: added more doctests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: omit builder classes from doctest coverage analysis. Signed-off-by: Teryl Taylor <terylt@ibm.com> * Roadmap update Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint: fix flake8 issues. Signed-off-by: Teryl Taylor <terylt@ibm.com> * Minor fix to OAuth token expiry logic (#1579) * minor fix to oauth token expiry logic Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests in test_prompt_service Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix doctest Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix failing test Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * fix uuid migration for postgresql (#1584) Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * Enabling HTTPS with Encrypted SSL Keys via Passphrase Support (#1578) * added ssl key manager Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update gunicorn config to support ssl cert passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update dockercompose with passphrase varaible Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * targets supporitng certs with passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * check passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * fix location Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update test cases Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * linting Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> --------- Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * added test resource functionality (#1575) * added test resource functionality removed content part from edit & view screens of resource updated message displayed on UI when edit/view/test buttons are clicked for inactive resource Signed-off-by: Satya <tsp.0713@gmail.com> * updated ResourceTemplate id datatype to str updated isActive for resource in admin.js based out of enable allaignment correction made code for sse connection under transport.py Signed-off-by: Satya <tsp.0713@gmail.com> * fixing tests Signed-off-by: Satya <tsp.0713@gmail.com> * rebase, conflicts resolved Signed-off-by: Satya <tsp.0713@gmail.com> --------- Signed-off-by: Satya <tsp.0713@gmail.com> * Fix in toolops tab UI code to call admin tools endpoint to get list of tools. (#1573) * fixed page refresh issue when added mcp server from server list page. * Minor update to toolops read me --------- Co-authored-by: Neelamadhav Gantayat <neelamadhav@in.ibm.com> * Correlation ID for Unified Request Tracking (#1443) * Add correlation ID system for unified request tracking Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * replace undefined bearer_scheme with security Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * lint & test fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fixes for lint Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * pylint fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * test fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Bandit fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix for test Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * addiitonal changes for UI & middleware Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix bug Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * dropdown mismatch fix Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fixes for UI Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * UI fixes for adding user details Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * admin ui fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * flake8 fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * test fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * lint fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix for doctest Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * auth issue fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * update for failing tests Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * flake8 fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * flake8 issue Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * prevent SQLite rollback error on validation failures Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * false positive issues Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix lint issue Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * update alembic file Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * updated alembic revision Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * changes in table schema Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * gateway service fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * updated tests Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix doctest coverage Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix: resolve rebase conflicts and fix test issues for correlation ID PR - Fix Alembic migration to chain after main branch head (356a2d4eed6f) - Fix is_active/enabled attribute access in services (server, prompt, resource, export) - Update export_service to use getattr with fallback for backwards compatibility - Add db.refresh before return in tool_service.register_tool to handle session expiry after audit/logging commits - Add SessionLocal patches in conftest.py for audit_trail_service and log_aggregator - Update test assertions for expected db.refresh call count - Apply isort import ordering fixes across service files Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: ensure cross-database compatibility for migrations and update tag fuzz test - Use sa.false() instead of string literals for Boolean server_defaults in migration (SQLite uses 0/1, not "false"/"true") - Use sa.text("'{}'") for JSON server_defaults to ensure proper quoting - Update fuzz test to expect dict tags format {id, label} instead of strings Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Enable vault token (#1585) Signed-off-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> Co-authored-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> * [Security Feature]: RBAC Plugin using Cedar (#1499) * Prompt and tool hooks implementation for cedar plugin Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding hook implementation and test cases for resource hooks Signed-off-by: Shriti Priya <shritip@ibm.com> * test cases for all hooks in cedar and custom_dsl policy langauge modes Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding documentation in code Signed-off-by: Shriti Priya <shritip@ibm.com> * Files for external server Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding documentation Signed-off-by: Shriti Priya <shritip@ibm.com> * Documentation update Signed-off-by: Shriti Priya <shritip@ibm.com> * update documentation Signed-off-by: Shriti Priya <shritip@ibm.com> * Updating documentation Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding env variables for transport and host in env.template Signed-off-by: Shriti Priya <shritip@ibm.com> * Solving yaml lint issues Signed-off-by: Shriti Priya <shritip@ibm.com> * reverting changes in opa Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing pylint and flake8 issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing flake8 issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing lint issues Signed-off-by: Shriti Priya <shritip@ibm.com> * manifest update and flake8 issues resolved Signed-off-by: Shriti Priya <shritip@ibm.com> * init in test update Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding new line Signed-off-by: Shriti Priya <shritip@ibm.com> * documentation update and error handling Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing lint issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing flake8 issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fix(cedar-plugin): improve code quality and formatting - Fix import order (move urllib.parse to standard library section) - Replace unnecessary elif after return with if statements - Apply black and isort formatting to plugin and tests Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shriti Priya <shritip@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * fix: add nosec comments for subprocess calls in builder module Add bandit nosec comments to suppress B404, B603, and B607 warnings for legitimate subprocess calls in the deployment builder module. These subprocess calls are used for git operations and container/ kubernetes commands which are necessary for the deployment tool. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> Signed-off-by: Satya <tsp.0713@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> Signed-off-by: Shriti Priya <shritip@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Frederico Araujo <frederico.araujo@ibm.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Keval Mahajan <65884586+kevalmahajan@users.noreply.github.com> Co-authored-by: Satya <tsp.0713@gmail.com> Co-authored-by: Jay Bandlamudi <jay_bandlamudi@in.ibm.com> Co-authored-by: Neelamadhav Gantayat <neelamadhav@in.ibm.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: ChrisPC-39 <60066382+ChrisPC-39@users.noreply.github.com> Co-authored-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> Co-authored-by: Shriti Priya <shritip@ibm.com>

* added ssl key manager Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update gunicorn config to support ssl cert passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update dockercompose with passphrase varaible Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * targets supporitng certs with passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * check passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * fix location Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update test cases Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * linting Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> --------- Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

…1207) * mTLS support Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: added mTLS support to plugin mcp servers. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added streamable http support to runtime_mtls.py Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: updated plugin server runtime.py to support mTLS. removed chuck-mcp-runtime Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: switched chuk-mcp-runtime with mcp python sdk to support mTLS. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: updated llmguard and opa plugins to install the mcp official sdk. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: added health check to plugin server runtimes. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added health check for mtls plugin server Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: removed chuk-mcp-runtime, replaced with official mcp library. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: runtime tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: initial revision of configurable plugin builds. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: added mtls plugin documentation. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: linting issues. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: install templates with cli, fix error messages. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: mtls and stdio test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: remove commented code. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: and examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: docstring issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: added unit tests and more commenting. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests. Fix doc tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: change to make python the default. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: bandit issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: updated key length to 4096 Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: utility function for verifying certificates. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added utility class for ssl certificate verification. Signed-off-by: Teryl Taylor <terylt@ibm.com> * test: added certificate validation tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: added support for cert-manager in k8s. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: skipped tls doctest. Signed-off-by: Teryl Taylor <terylt@ibm.com> * test: fix doctests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: added example cert-manager issuer file. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: updated mtls documentation to point to plugins mtls documentation. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: forgot to add deploy-k8s-cert-manager.yaml Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: add registry pushing support. clean up pydantics. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: fixes to support Openshift, and support enabling plugins in k8s. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: added openshift route file for installing route to mcpgateway admin site. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: fix vulture issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix yamlint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * test: add unit tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: doctests coverage Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add doctests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: simplified docs and added an example configuration at the top. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix: doctest issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: added more doctests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: added more doctests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: omit builder classes from doctest coverage analysis. Signed-off-by: Teryl Taylor <terylt@ibm.com> * Roadmap update Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint: fix flake8 issues. Signed-off-by: Teryl Taylor <terylt@ibm.com> * Minor fix to OAuth token expiry logic (IBM#1579) * minor fix to oauth token expiry logic Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests in test_prompt_service Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix doctest Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix failing test Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * fix uuid migration for postgresql (IBM#1584) Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * Enabling HTTPS with Encrypted SSL Keys via Passphrase Support (IBM#1578) * added ssl key manager Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update gunicorn config to support ssl cert passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update dockercompose with passphrase varaible Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * targets supporitng certs with passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * check passphrase Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * fix location Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * update test cases Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * linting Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> --------- Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> * added test resource functionality (IBM#1575) * added test resource functionality removed content part from edit & view screens of resource updated message displayed on UI when edit/view/test buttons are clicked for inactive resource Signed-off-by: Satya <tsp.0713@gmail.com> * updated ResourceTemplate id datatype to str updated isActive for resource in admin.js based out of enable allaignment correction made code for sse connection under transport.py Signed-off-by: Satya <tsp.0713@gmail.com> * fixing tests Signed-off-by: Satya <tsp.0713@gmail.com> * rebase, conflicts resolved Signed-off-by: Satya <tsp.0713@gmail.com> --------- Signed-off-by: Satya <tsp.0713@gmail.com> * Fix in toolops tab UI code to call admin tools endpoint to get list of tools. (IBM#1573) * fixed page refresh issue when added mcp server from server list page. * Minor update to toolops read me --------- Co-authored-by: Neelamadhav Gantayat <neelamadhav@in.ibm.com> * Correlation ID for Unified Request Tracking (IBM#1443) * Add correlation ID system for unified request tracking Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * replace undefined bearer_scheme with security Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * lint & test fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fixes for lint Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * pylint fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * test fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Bandit fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix for test Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * addiitonal changes for UI & middleware Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix bug Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * dropdown mismatch fix Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fixes for UI Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * UI fixes for adding user details Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * admin ui fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * flake8 fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * test fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * lint fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix for doctest Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * auth issue fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * update for failing tests Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * flake8 fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * flake8 issue Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * prevent SQLite rollback error on validation failures Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * false positive issues Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix lint issue Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * update alembic file Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * updated alembic revision Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * changes in table schema Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * gateway service fixes Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * updated tests Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix doctest coverage Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * fix: resolve rebase conflicts and fix test issues for correlation ID PR - Fix Alembic migration to chain after main branch head (356a2d4eed6f) - Fix is_active/enabled attribute access in services (server, prompt, resource, export) - Update export_service to use getattr with fallback for backwards compatibility - Add db.refresh before return in tool_service.register_tool to handle session expiry after audit/logging commits - Add SessionLocal patches in conftest.py for audit_trail_service and log_aggregator - Update test assertions for expected db.refresh call count - Apply isort import ordering fixes across service files Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: ensure cross-database compatibility for migrations and update tag fuzz test - Use sa.false() instead of string literals for Boolean server_defaults in migration (SQLite uses 0/1, not "false"/"true") - Use sa.text("'{}'") for JSON server_defaults to ensure proper quoting - Update fuzz test to expect dict tags format {id, label} instead of strings Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Enable vault token (IBM#1585) Signed-off-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> Co-authored-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> * [Security Feature]: RBAC Plugin using Cedar (IBM#1499) * Prompt and tool hooks implementation for cedar plugin Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding hook implementation and test cases for resource hooks Signed-off-by: Shriti Priya <shritip@ibm.com> * test cases for all hooks in cedar and custom_dsl policy langauge modes Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding documentation in code Signed-off-by: Shriti Priya <shritip@ibm.com> * Files for external server Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding documentation Signed-off-by: Shriti Priya <shritip@ibm.com> * Documentation update Signed-off-by: Shriti Priya <shritip@ibm.com> * update documentation Signed-off-by: Shriti Priya <shritip@ibm.com> * Updating documentation Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding env variables for transport and host in env.template Signed-off-by: Shriti Priya <shritip@ibm.com> * Solving yaml lint issues Signed-off-by: Shriti Priya <shritip@ibm.com> * reverting changes in opa Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing pylint and flake8 issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing flake8 issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing lint issues Signed-off-by: Shriti Priya <shritip@ibm.com> * manifest update and flake8 issues resolved Signed-off-by: Shriti Priya <shritip@ibm.com> * init in test update Signed-off-by: Shriti Priya <shritip@ibm.com> * Adding new line Signed-off-by: Shriti Priya <shritip@ibm.com> * documentation update and error handling Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing lint issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fixing flake8 issues Signed-off-by: Shriti Priya <shritip@ibm.com> * fix(cedar-plugin): improve code quality and formatting - Fix import order (move urllib.parse to standard library section) - Replace unnecessary elif after return with if statements - Apply black and isort formatting to plugin and tests Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shriti Priya <shritip@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * fix: add nosec comments for subprocess calls in builder module Add bandit nosec comments to suppress B404, B603, and B607 warnings for legitimate subprocess calls in the deployment builder module. These subprocess calls are used for git operations and container/ kubernetes commands which are necessary for the deployment tool. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com> Signed-off-by: Satya <tsp.0713@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> Signed-off-by: Shriti Priya <shritip@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Frederico Araujo <frederico.araujo@ibm.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Keval Mahajan <65884586+kevalmahajan@users.noreply.github.com> Co-authored-by: Satya <tsp.0713@gmail.com> Co-authored-by: Jay Bandlamudi <jay_bandlamudi@in.ibm.com> Co-authored-by: Neelamadhav Gantayat <neelamadhav@in.ibm.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: ChrisPC-39 <60066382+ChrisPC-39@users.noreply.github.com> Co-authored-by: Chris PC <chrispc@li-4dc2bf4c-325d-11b2-a85c-b68e8b1fc307.ibm.com> Co-authored-by: Shriti Priya <shritip@ibm.com>

kevalmahajan requested review from crivetimihai and madhav165 as code owners December 11, 2025 09:13

kevalmahajan marked this pull request as draft December 11, 2025 09:14

kevalmahajan marked this pull request as ready for review December 11, 2025 09:28

kevalmahajan added 9 commits December 12, 2025 10:03

added ssl key manager

41edfbe

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

update gunicorn config to support ssl cert passphrase

9cd8758

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

update dockercompose with passphrase varaible

e332ed9

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

targets supporitng certs with passphrase

73341d1

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

check passphrase

05af4f8

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

fix location

652bc0a

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

update test cases

c5ff010

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

33e9ba8

linting

cacea62

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

kevalmahajan force-pushed the ssl_supporting_passphrase branch from 8da6a86 to cacea62 Compare December 12, 2025 04:34

madhav165 approved these changes Dec 12, 2025

View reviewed changes

madhav165 merged commit 7209c23 into main Dec 12, 2025
52 checks passed

madhav165 deleted the ssl_supporting_passphrase branch December 12, 2025 05:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enabling HTTPS with Encrypted SSL Keys via Passphrase Support#1578

Enabling HTTPS with Encrypted SSL Keys via Passphrase Support#1578
madhav165 merged 9 commits intomainfrom
ssl_supporting_passphrase

kevalmahajan commented Dec 11, 2025 •

edited

Loading

Uh oh!

madhav165 left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

kevalmahajan commented Dec 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🐛 Bug-fix PR

📌 Summary

🐞 Root Cause

💡 Fix Description

Key Design Points

🧪 Verification

📐 MCP Compliance (if relevant)

✅ Checklist

Uh oh!

madhav165 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

kevalmahajan commented Dec 11, 2025 •

edited

Loading